TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 0fc9291f405157f935e0001622f91b759ce44be6 / . / lib / libmbedtls / mbedtls / library / chachapoly.c
blob: a1314eab6dfba44204dfef4cf5a10e135fd09875 [file] [log] [blame]
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]1/**
2 * \file chachapoly.c
3 *
4 * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
5 *
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]6 * Copyright The Mbed TLS Contributors
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]7 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]8 */
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]9#include "common.h"
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]10
11#if defined(MBEDTLS_CHACHAPOLY_C)
12
13#include "mbedtls/chachapoly.h"
14#include "mbedtls/platform_util.h"
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]15#include "mbedtls/error.h"
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]16#include "mbedtls/constant_time.h"
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]17
18#include <string.h>
19
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]20#include "mbedtls/platform.h"
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]21
22#if !defined(MBEDTLS_CHACHAPOLY_ALT)
23
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]24#define CHACHAPOLY_STATE_INIT (0)
25#define CHACHAPOLY_STATE_AAD (1)
26#define CHACHAPOLY_STATE_CIPHERTEXT (2) /* Encrypting or decrypting */
27#define CHACHAPOLY_STATE_FINISHED (3)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]28
29/**
30 * \brief Adds nul bytes to pad the AAD for Poly1305.
31 *
32 * \param ctx The ChaCha20-Poly1305 context.
33 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]34static int chachapoly_pad_aad(mbedtls_chachapoly_context *ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]35{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]36 uint32_t partial_block_len = (uint32_t) (ctx->aad_len % 16U);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]37 unsigned char zeroes[15];
38
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]39 if (partial_block_len == 0U) {
40 return 0;
41 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]42
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]43 memset(zeroes, 0, sizeof(zeroes));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]44
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]45 return mbedtls_poly1305_update(&ctx->poly1305_ctx,
46 zeroes,
47 16U - partial_block_len);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]48}
49
50/**
51 * \brief Adds nul bytes to pad the ciphertext for Poly1305.
52 *
53 * \param ctx The ChaCha20-Poly1305 context.
54 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]55static int chachapoly_pad_ciphertext(mbedtls_chachapoly_context *ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]56{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]57 uint32_t partial_block_len = (uint32_t) (ctx->ciphertext_len % 16U);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]58 unsigned char zeroes[15];
59
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]60 if (partial_block_len == 0U) {
61 return 0;
62 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]63
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]64 memset(zeroes, 0, sizeof(zeroes));
65 return mbedtls_poly1305_update(&ctx->poly1305_ctx,
66 zeroes,
67 16U - partial_block_len);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]68}
69
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]70void mbedtls_chachapoly_init(mbedtls_chachapoly_context *ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]71{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]72 mbedtls_chacha20_init(&ctx->chacha20_ctx);
73 mbedtls_poly1305_init(&ctx->poly1305_ctx);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]74 ctx->aad_len = 0U;
75 ctx->ciphertext_len = 0U;
76 ctx->state = CHACHAPOLY_STATE_INIT;
77 ctx->mode = MBEDTLS_CHACHAPOLY_ENCRYPT;
78}
79
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]80void mbedtls_chachapoly_free(mbedtls_chachapoly_context *ctx)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]81{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]82 if (ctx == NULL) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]83 return;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]84 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]85
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]86 mbedtls_chacha20_free(&ctx->chacha20_ctx);
87 mbedtls_poly1305_free(&ctx->poly1305_ctx);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]88 ctx->aad_len = 0U;
89 ctx->ciphertext_len = 0U;
90 ctx->state = CHACHAPOLY_STATE_INIT;
91 ctx->mode = MBEDTLS_CHACHAPOLY_ENCRYPT;
92}
93
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]94int mbedtls_chachapoly_setkey(mbedtls_chachapoly_context *ctx,
95 const unsigned char key[32])
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]96{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]97 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]98
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]99 ret = mbedtls_chacha20_setkey(&ctx->chacha20_ctx, key);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]100
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]101 return ret;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]102}
103
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]104int mbedtls_chachapoly_starts(mbedtls_chachapoly_context *ctx,
105 const unsigned char nonce[12],
106 mbedtls_chachapoly_mode_t mode)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]107{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]108 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]109 unsigned char poly1305_key[64];
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]110
111 /* Set counter = 0, will be update to 1 when generating Poly1305 key */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]112 ret = mbedtls_chacha20_starts(&ctx->chacha20_ctx, nonce, 0U);
113 if (ret != 0) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]114 goto cleanup;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]115 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]116
117 /* Generate the Poly1305 key by getting the ChaCha20 keystream output with
118 * counter = 0. This is the same as encrypting a buffer of zeroes.
119 * Only the first 256-bits (32 bytes) of the key is used for Poly1305.
120 * The other 256 bits are discarded.
121 */
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]122 memset(poly1305_key, 0, sizeof(poly1305_key));
123 ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, sizeof(poly1305_key),
124 poly1305_key, poly1305_key);
125 if (ret != 0) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]126 goto cleanup;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]127 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]128
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]129 ret = mbedtls_poly1305_starts(&ctx->poly1305_ctx, poly1305_key);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]130
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]131 if (ret == 0) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]132 ctx->aad_len = 0U;
133 ctx->ciphertext_len = 0U;
134 ctx->state = CHACHAPOLY_STATE_AAD;
135 ctx->mode = mode;
136 }
137
138cleanup:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]139 mbedtls_platform_zeroize(poly1305_key, 64U);
140 return ret;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]141}
142
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]143int mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context *ctx,
144 const unsigned char *aad,
145 size_t aad_len)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]146{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]147 if (ctx->state != CHACHAPOLY_STATE_AAD) {
148 return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
149 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]150
151 ctx->aad_len += aad_len;
152
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]153 return mbedtls_poly1305_update(&ctx->poly1305_ctx, aad, aad_len);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]154}
155
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]156int mbedtls_chachapoly_update(mbedtls_chachapoly_context *ctx,
157 size_t len,
158 const unsigned char *input,
159 unsigned char *output)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]160{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]161 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]162
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]163 if ((ctx->state != CHACHAPOLY_STATE_AAD) &&
164 (ctx->state != CHACHAPOLY_STATE_CIPHERTEXT)) {
165 return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]166 }
167
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]168 if (ctx->state == CHACHAPOLY_STATE_AAD) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]169 ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;
170
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]171 ret = chachapoly_pad_aad(ctx);
172 if (ret != 0) {
173 return ret;
174 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]175 }
176
177 ctx->ciphertext_len += len;
178
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]179 if (ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT) {
180 ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
181 if (ret != 0) {
182 return ret;
183 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]184
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]185 ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, output, len);
186 if (ret != 0) {
187 return ret;
188 }
189 } else { /* DECRYPT */
190 ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, input, len);
191 if (ret != 0) {
192 return ret;
193 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]194
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]195 ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
196 if (ret != 0) {
197 return ret;
198 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]199 }
200
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]201 return 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]202}
203
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]204int mbedtls_chachapoly_finish(mbedtls_chachapoly_context *ctx,
205 unsigned char mac[16])
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]206{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]207 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]208 unsigned char len_block[16];
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]209
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]210 if (ctx->state == CHACHAPOLY_STATE_INIT) {
211 return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]212 }
213
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]214 if (ctx->state == CHACHAPOLY_STATE_AAD) {
215 ret = chachapoly_pad_aad(ctx);
216 if (ret != 0) {
217 return ret;
218 }
219 } else if (ctx->state == CHACHAPOLY_STATE_CIPHERTEXT) {
220 ret = chachapoly_pad_ciphertext(ctx);
221 if (ret != 0) {
222 return ret;
223 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]224 }
225
226 ctx->state = CHACHAPOLY_STATE_FINISHED;
227
228 /* The lengths of the AAD and ciphertext are processed by
229 * Poly1305 as the final 128-bit block, encoded as little-endian integers.
230 */
Jerome Forissier039e02d2022-08-09 17:10:15 +0200[diff] [blame]231 MBEDTLS_PUT_UINT64_LE(ctx->aad_len, len_block, 0);
232 MBEDTLS_PUT_UINT64_LE(ctx->ciphertext_len, len_block, 8);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]233
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]234 ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, len_block, 16U);
235 if (ret != 0) {
236 return ret;
237 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]238
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]239 ret = mbedtls_poly1305_finish(&ctx->poly1305_ctx, mac);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]240
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]241 return ret;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]242}
243
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]244static int chachapoly_crypt_and_tag(mbedtls_chachapoly_context *ctx,
245 mbedtls_chachapoly_mode_t mode,
246 size_t length,
247 const unsigned char nonce[12],
248 const unsigned char *aad,
249 size_t aad_len,
250 const unsigned char *input,
251 unsigned char *output,
252 unsigned char tag[16])
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]253{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]254 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]255
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]256 ret = mbedtls_chachapoly_starts(ctx, nonce, mode);
257 if (ret != 0) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]258 goto cleanup;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]259 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]260
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]261 ret = mbedtls_chachapoly_update_aad(ctx, aad, aad_len);
262 if (ret != 0) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]263 goto cleanup;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]264 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]265
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]266 ret = mbedtls_chachapoly_update(ctx, length, input, output);
267 if (ret != 0) {
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]268 goto cleanup;
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]269 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]270
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]271 ret = mbedtls_chachapoly_finish(ctx, tag);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]272
273cleanup:
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]274 return ret;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]275}
276
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]277int mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context *ctx,
278 size_t length,
279 const unsigned char nonce[12],
280 const unsigned char *aad,
281 size_t aad_len,
282 const unsigned char *input,
283 unsigned char *output,
284 unsigned char tag[16])
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]285{
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]286 return chachapoly_crypt_and_tag(ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
287 length, nonce, aad, aad_len,
288 input, output, tag);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]289}
290
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]291int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
292 size_t length,
293 const unsigned char nonce[12],
294 const unsigned char *aad,
295 size_t aad_len,
296 const unsigned char tag[16],
297 const unsigned char *input,
298 unsigned char *output)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]299{
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]300 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]301 unsigned char check_tag[16];
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]302 int diff;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]303
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]304 if ((ret = chachapoly_crypt_and_tag(ctx,
305 MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
306 aad, aad_len, input, output, check_tag)) != 0) {
307 return ret;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]308 }
309
310 /* Check tag in "constant-time" */
Tom Van Eyckc1633172024-04-09 18:44:13 +0200[diff] [blame]311 diff = mbedtls_ct_memcmp(tag, check_tag, sizeof(check_tag));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]312
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]313 if (diff != 0) {
314 mbedtls_platform_zeroize(output, length);
315 return MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED;
316 }
317
318 return 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]319}
320
321#endif /* MBEDTLS_CHACHAPOLY_ALT */
322
323#if defined(MBEDTLS_SELF_TEST)
324
325static const unsigned char test_key[1][32] =
326{
327 {
328 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
329 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
330 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
331 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
332 }
333};
334
335static const unsigned char test_nonce[1][12] =
336{
337 {
338 0x07, 0x00, 0x00, 0x00, /* 32-bit common part */
339 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 /* 64-bit IV */
340 }
341};
342
343static const unsigned char test_aad[1][12] =
344{
345 {
346 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
347 0xc4, 0xc5, 0xc6, 0xc7
348 }
349};
350
351static const size_t test_aad_len[1] =
352{
353 12U
354};
355
356static const unsigned char test_input[1][114] =
357{
358 {
359 0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
360 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
361 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
362 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
363 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
364 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
365 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
366 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
367 0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
368 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
369 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
370 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
371 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
372 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
373 0x74, 0x2e
374 }
375};
376
377static const unsigned char test_output[1][114] =
378{
379 {
380 0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
381 0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
382 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
383 0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
384 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
385 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
386 0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
387 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
388 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
389 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
390 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
391 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
392 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
393 0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
394 0x61, 0x16
395 }
396};
397
398static const size_t test_input_len[1] =
399{
400 114U
401};
402
403static const unsigned char test_mac[1][16] =
404{
405 {
406 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
407 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
408 }
409};
410
Jerome Forissier79013242021-07-28 10:24:04 +0200[diff] [blame]411/* Make sure no other definition is already present. */
412#undef ASSERT
413
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]414#define ASSERT(cond, args) \
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]415 do \
416 { \
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]417 if (!(cond)) \
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]418 { \
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]419 if (verbose != 0) \
420 mbedtls_printf args; \
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]421 \
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]422 return -1; \
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]423 } \
424 } \
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]425 while (0)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]426
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]427int mbedtls_chachapoly_self_test(int verbose)
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]428{
429 mbedtls_chachapoly_context ctx;
430 unsigned i;
Jerome Forissier11fa71b2020-04-20 17:17:56 +0200[diff] [blame]431 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]432 unsigned char output[200];
433 unsigned char mac[16];
434
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]435 for (i = 0U; i < 1U; i++) {
436 if (verbose != 0) {
437 mbedtls_printf(" ChaCha20-Poly1305 test %u ", i);
438 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]439
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]440 mbedtls_chachapoly_init(&ctx);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]441
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]442 ret = mbedtls_chachapoly_setkey(&ctx, test_key[i]);
443 ASSERT(0 == ret, ("setkey() error code: %i\n", ret));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]444
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]445 ret = mbedtls_chachapoly_encrypt_and_tag(&ctx,
446 test_input_len[i],
447 test_nonce[i],
448 test_aad[i],
449 test_aad_len[i],
450 test_input[i],
451 output,
452 mac);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]453
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]454 ASSERT(0 == ret, ("crypt_and_tag() error code: %i\n", ret));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]455
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]456 ASSERT(0 == memcmp(output, test_output[i], test_input_len[i]),
457 ("failure (wrong output)\n"));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]458
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]459 ASSERT(0 == memcmp(mac, test_mac[i], 16U),
460 ("failure (wrong MAC)\n"));
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]461
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]462 mbedtls_chachapoly_free(&ctx);
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]463
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]464 if (verbose != 0) {
465 mbedtls_printf("passed\n");
466 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]467 }
468
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]469 if (verbose != 0) {
470 mbedtls_printf("\n");
471 }
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]472
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]473 return 0;
Jens Wiklander3d3b0592019-03-20 15:30:29 +0100[diff] [blame]474}
475
476#endif /* MBEDTLS_SELF_TEST */
477
478#endif /* MBEDTLS_CHACHAPOLY_C */