Blame - lib/libmbedtls/mbedtls/library/chachapoly.c - OP-TEE/optee_os

2019-03-20 15:30:29 +0100

[diff] [blame]

/**

* \file chachapoly.c

*

* \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.

5

*

Jerome Forissier

7901324

2021-07-28 10:24:04 +0200

[diff] [blame]

6

* Copyright The Mbed TLS Contributors

7

* SPDX-License-Identifier: Apache-2.0

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

8

*

9

* Licensed under the Apache License, Version 2.0 (the "License"); you may

10

* not use this file except in compliance with the License.

11

* You may obtain a copy of the License at

12

*

13

* http://www.apache.org/licenses/LICENSE-2.0

14

*

15

* Unless required by applicable law or agreed to in writing, software

16

* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

17

* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

18

* See the License for the specific language governing permissions and

19

* limitations under the License.

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

20

*/

Jerome Forissier

7901324

2021-07-28 10:24:04 +0200

[diff] [blame]

21

#include "common.h"

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

22

23

#if defined(MBEDTLS_CHACHAPOLY_C)

24

25

#include "mbedtls/chachapoly.h"

26

#include "mbedtls/platform_util.h"

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

27

#include "mbedtls/error.h"

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

#include <string.h>

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

31

#include "mbedtls/platform.h"

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

32

33

#if !defined(MBEDTLS_CHACHAPOLY_ALT)

34

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

35

#define CHACHAPOLY_STATE_INIT (0)

36

#define CHACHAPOLY_STATE_AAD (1)

37

#define CHACHAPOLY_STATE_CIPHERTEXT (2) /* Encrypting or decrypting */

38

#define CHACHAPOLY_STATE_FINISHED (3)

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

39

40

/**

41

* \brief Adds nul bytes to pad the AAD for Poly1305.

42

*

43

* \param ctx The ChaCha20-Poly1305 context.

44

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

45

static int chachapoly_pad_aad(mbedtls_chachapoly_context *ctx)

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

46

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

47

uint32_t partial_block_len = (uint32_t) (ctx->aad_len % 16U);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

48

unsigned char zeroes[15];

49

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

50

if (partial_block_len == 0U) {

51

return 0;

52

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

53

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

54

memset(zeroes, 0, sizeof(zeroes));

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

55

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

56

return mbedtls_poly1305_update(&ctx->poly1305_ctx,

57

zeroes,

58

16U - partial_block_len);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

}

/**

* \brief Adds nul bytes to pad the ciphertext for Poly1305.

63

*

64

* \param ctx The ChaCha20-Poly1305 context.

65

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

66

static int chachapoly_pad_ciphertext(mbedtls_chachapoly_context *ctx)

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

67

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

68

uint32_t partial_block_len = (uint32_t) (ctx->ciphertext_len % 16U);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

69

unsigned char zeroes[15];

70

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

71

if (partial_block_len == 0U) {

72

return 0;

73

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

74

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

75

memset(zeroes, 0, sizeof(zeroes));

76

return mbedtls_poly1305_update(&ctx->poly1305_ctx,

77

zeroes,

78

16U - partial_block_len);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

79

}

80

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

81

void mbedtls_chachapoly_init(mbedtls_chachapoly_context *ctx)

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

82

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

83

mbedtls_chacha20_init(&ctx->chacha20_ctx);

84

mbedtls_poly1305_init(&ctx->poly1305_ctx);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

85

ctx->aad_len = 0U;

86

ctx->ciphertext_len = 0U;

87

ctx->state = CHACHAPOLY_STATE_INIT;

88

ctx->mode = MBEDTLS_CHACHAPOLY_ENCRYPT;

89

}

90

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

91

void mbedtls_chachapoly_free(mbedtls_chachapoly_context *ctx)

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

92

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

93

if (ctx == NULL) {

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

94

return;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

95

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

96

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

97

mbedtls_chacha20_free(&ctx->chacha20_ctx);

98

mbedtls_poly1305_free(&ctx->poly1305_ctx);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

99

ctx->aad_len = 0U;

100

ctx->ciphertext_len = 0U;

101

ctx->state = CHACHAPOLY_STATE_INIT;

102

ctx->mode = MBEDTLS_CHACHAPOLY_ENCRYPT;

103

}

104

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

105

int mbedtls_chachapoly_setkey(mbedtls_chachapoly_context *ctx,

106

const unsigned char key[32])

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

107

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

108

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

109

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

110

ret = mbedtls_chacha20_setkey(&ctx->chacha20_ctx, key);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

111

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

112

return ret;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

113

}

114

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

115

int mbedtls_chachapoly_starts(mbedtls_chachapoly_context *ctx,

116

const unsigned char nonce[12],

117

mbedtls_chachapoly_mode_t mode)

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

118

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

119

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

120

unsigned char poly1305_key[64];

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

121

122

/* Set counter = 0, will be update to 1 when generating Poly1305 key */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

123

ret = mbedtls_chacha20_starts(&ctx->chacha20_ctx, nonce, 0U);

124

if (ret != 0) {

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

125

goto cleanup;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

126

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

127

128

/* Generate the Poly1305 key by getting the ChaCha20 keystream output with

129

* counter = 0. This is the same as encrypting a buffer of zeroes.

130

* Only the first 256-bits (32 bytes) of the key is used for Poly1305.

131

* The other 256 bits are discarded.

132

*/

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

133

memset(poly1305_key, 0, sizeof(poly1305_key));

134

ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, sizeof(poly1305_key),

135

poly1305_key, poly1305_key);

136

if (ret != 0) {

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

137

goto cleanup;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

138

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

139

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

140

ret = mbedtls_poly1305_starts(&ctx->poly1305_ctx, poly1305_key);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

141

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

142

if (ret == 0) {

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

143

ctx->aad_len = 0U;

144

ctx->ciphertext_len = 0U;

145

ctx->state = CHACHAPOLY_STATE_AAD;

ctx->mode = mode;

}

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

150

mbedtls_platform_zeroize(poly1305_key, 64U);

151

return ret;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

152

}

153

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

154

int mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context *ctx,

155

const unsigned char *aad,

156

size_t aad_len)

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

157

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

158

if (ctx->state != CHACHAPOLY_STATE_AAD) {

159

return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;

160

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

161

162

ctx->aad_len += aad_len;

163

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

164

return mbedtls_poly1305_update(&ctx->poly1305_ctx, aad, aad_len);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

165

}

166

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

167

int mbedtls_chachapoly_update(mbedtls_chachapoly_context *ctx,

168

size_t len,

169

const unsigned char *input,

170

unsigned char *output)

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

171

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

172

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

173

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

174

if ((ctx->state != CHACHAPOLY_STATE_AAD) &&

175

(ctx->state != CHACHAPOLY_STATE_CIPHERTEXT)) {

176

return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

177

}

178

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

179

if (ctx->state == CHACHAPOLY_STATE_AAD) {

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

180

ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;

181

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

182

ret = chachapoly_pad_aad(ctx);

183

if (ret != 0) {

184

return ret;

185

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

186

}

187

188

ctx->ciphertext_len += len;

189

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

190

if (ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT) {

191

ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);

192

if (ret != 0) {

193

return ret;

194

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

195

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

196

ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, output, len);

if (ret != 0) {

return ret;

}

} else { /* DECRYPT */

201

ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, input, len);

202

if (ret != 0) {

203

return ret;

204

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

205

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

206

ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);

207

if (ret != 0) {

208

return ret;

209

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

210

}

211

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

212

return 0;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

213

}

214

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

215

int mbedtls_chachapoly_finish(mbedtls_chachapoly_context *ctx,

216

unsigned char mac[16])

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

217

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

218

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

219

unsigned char len_block[16];

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

220

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

221

if (ctx->state == CHACHAPOLY_STATE_INIT) {

222

return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

223

}

224

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

225

if (ctx->state == CHACHAPOLY_STATE_AAD) {

226

ret = chachapoly_pad_aad(ctx);

if (ret != 0) {

return ret;

}

} else if (ctx->state == CHACHAPOLY_STATE_CIPHERTEXT) {

231

ret = chachapoly_pad_ciphertext(ctx);

232

if (ret != 0) {

233

return ret;

234

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

235

}

236

237

ctx->state = CHACHAPOLY_STATE_FINISHED;

238

239

/* The lengths of the AAD and ciphertext are processed by

240

* Poly1305 as the final 128-bit block, encoded as little-endian integers.

241

*/

Jerome Forissier

039e02d

2022-08-09 17:10:15 +0200

[diff] [blame]

242

MBEDTLS_PUT_UINT64_LE(ctx->aad_len, len_block, 0);

243

MBEDTLS_PUT_UINT64_LE(ctx->ciphertext_len, len_block, 8);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

244

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

245

ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, len_block, 16U);

246

if (ret != 0) {

247

return ret;

248

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

249

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

250

ret = mbedtls_poly1305_finish(&ctx->poly1305_ctx, mac);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

251

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

252

return ret;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

253

}

254

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

255

static int chachapoly_crypt_and_tag(mbedtls_chachapoly_context *ctx,

256

mbedtls_chachapoly_mode_t mode,

257

size_t length,

258

const unsigned char nonce[12],

259

const unsigned char *aad,

260

size_t aad_len,

261

const unsigned char *input,

262

unsigned char *output,

263

unsigned char tag[16])

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

264

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

265

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

266

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

267

ret = mbedtls_chachapoly_starts(ctx, nonce, mode);

268

if (ret != 0) {

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

269

goto cleanup;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

270

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

271

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

272

ret = mbedtls_chachapoly_update_aad(ctx, aad, aad_len);

273

if (ret != 0) {

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

274

goto cleanup;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

275

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

276

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

277

ret = mbedtls_chachapoly_update(ctx, length, input, output);

278

if (ret != 0) {

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

279

goto cleanup;

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

280

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

281

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

282

ret = mbedtls_chachapoly_finish(ctx, tag);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

283

284

cleanup:

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

285

return ret;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

286

}

287

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

288

int mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context *ctx,

289

size_t length,

290

const unsigned char nonce[12],

291

const unsigned char *aad,

292

size_t aad_len,

293

const unsigned char *input,

294

unsigned char *output,

295

unsigned char tag[16])

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

296

{

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

297

return chachapoly_crypt_and_tag(ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,

298

length, nonce, aad, aad_len,

299

input, output, tag);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

300

}

301

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

302

int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,

303

size_t length,

304

const unsigned char nonce[12],

305

const unsigned char *aad,

306

size_t aad_len,

307

const unsigned char tag[16],

308

const unsigned char *input,

309

unsigned char *output)

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

310

{

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

311

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

312

unsigned char check_tag[16];

313

size_t i;

314

int diff;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

315

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

316

if ((ret = chachapoly_crypt_and_tag(ctx,

317

MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,

318

aad, aad_len, input, output, check_tag)) != 0) {

319

return ret;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

320

}

321

322

/* Check tag in "constant-time" */

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

323

for (diff = 0, i = 0; i < sizeof(check_tag); i++) {

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

324

diff |= tag[i] ^ check_tag[i];

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

325

}

326

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

327

if (diff != 0) {

328

mbedtls_platform_zeroize(output, length);

329

return MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED;

330

}

331

332

return 0;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

333

}

334

335

#endif /* MBEDTLS_CHACHAPOLY_ALT */

336

337

#if defined(MBEDTLS_SELF_TEST)

338

339

static const unsigned char test_key[1][32] =

340

{

341

{

342

0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,

343

0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,

344

0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,

345

0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f

}

};

static const unsigned char test_nonce[1][12] =

350

{

351

{

352

0x07, 0x00, 0x00, 0x00, /* 32-bit common part */

353

0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 /* 64-bit IV */

}

};

static const unsigned char test_aad[1][12] =

358

{

359

{

360

0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,

361

0xc4, 0xc5, 0xc6, 0xc7

}

};

static const size_t test_aad_len[1] =

{

12U

};

static const unsigned char test_input[1][114] =

371

{

372

{

373

0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,

374

0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,

375

0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,

376

0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,

377

0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,

378

0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,

379

0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,

380

0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,

381

0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,

382

0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,

383

0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,

384

0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,

385

0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,

386

0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,

0x74, 0x2e

}

};

static const unsigned char test_output[1][114] =

392

{

393

{

394

0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,

395

0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,

396

0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,

397

0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,

398

0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,

399

0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,

400

0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,

401

0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,

402

0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,

403

0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,

404

0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,

405

0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,

406

0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,

407

0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,

0x61, 0x16

}

};

static const size_t test_input_len[1] =

{

114U

};

static const unsigned char test_mac[1][16] =

418

{

419

{

420

0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,

421

0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91

}

};

Jerome Forissier

2021-07-28 10:24:04 +0200

[diff] [blame]

425

/* Make sure no other definition is already present. */

426

#undef ASSERT

427

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

428

#define ASSERT(cond, args) \

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

429

do \

430

{ \

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

431

if (!(cond)) \

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

432

{ \

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

433

if (verbose != 0) \

434

mbedtls_printf args; \

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

435

\

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

436

return -1; \

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

437

} \

438

} \

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

439

while (0)

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

440

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

441

int mbedtls_chachapoly_self_test(int verbose)

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

442

{

443

mbedtls_chachapoly_context ctx;

444

unsigned i;

Jerome Forissier

2020-04-20 17:17:56 +0200

[diff] [blame]

445

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

446

unsigned char output[200];

447

unsigned char mac[16];

448

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

449

for (i = 0U; i < 1U; i++) {

450

if (verbose != 0) {

451

mbedtls_printf(" ChaCha20-Poly1305 test %u ", i);

452

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

453

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

454

mbedtls_chachapoly_init(&ctx);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

455

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

456

ret = mbedtls_chachapoly_setkey(&ctx, test_key[i]);

457

ASSERT(0 == ret, ("setkey() error code: %i\n", ret));

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

458

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

459

ret = mbedtls_chachapoly_encrypt_and_tag(&ctx,

test_input_len[i],

test_nonce[i],

test_aad[i],

test_aad_len[i],

test_input[i],

output,

mac);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

467

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

468

ASSERT(0 == ret, ("crypt_and_tag() error code: %i\n", ret));

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

469

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

470

ASSERT(0 == memcmp(output, test_output[i], test_input_len[i]),

471

("failure (wrong output)\n"));

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

472

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

473

ASSERT(0 == memcmp(mac, test_mac[i], 16U),

474

("failure (wrong MAC)\n"));

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

475

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

476

mbedtls_chachapoly_free(&ctx);

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

477

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

478

if (verbose != 0) {

479

mbedtls_printf("passed\n");

480

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

481

}

482

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

483

if (verbose != 0) {

484

mbedtls_printf("\n");

485

}

Jens Wiklander

2019-03-20 15:30:29 +0100

[diff] [blame]

486

Jens Wiklander

2023-10-06 16:59:46 +0200

[diff] [blame]

487

return 0;

Jens Wiklander