Implement AEAD-ChaCha20-Poly1305.
This implementation is based off the description in RFC 7539.
The ChaCha20 code is also updated to provide a means of generating
keystream blocks with arbitrary counter values. This is used to
generated the one-time Poly1305 key in the AEAD construction.
diff --git a/include/mbedtls/aead_chacha20_poly1305.h b/include/mbedtls/aead_chacha20_poly1305.h
new file mode 100644
index 0000000..a1ccf31
--- /dev/null
+++ b/include/mbedtls/aead_chacha20_poly1305.h
@@ -0,0 +1,224 @@
+/**
+ * \file aead_chacha20_poly1305.h
+ *
+ * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
+ *
+ * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_AEAD_CHACHA20_POLY1305_H
+#define MBEDTLS_AEAD_CHACHA20_POLY1305_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if !defined(MBEDTLS_AEAD_CHACHA20_POLY1305_ALT)
+
+#include "chacha20.h"
+#include "poly1305.h"
+
+#define MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA -0x00047 /**< Invalid input parameter(s). */
+#define MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE -0x00049 /**< The requested operation is not permitted in the current state */
+
+typedef enum
+{
+ MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT,
+ MBEDTLS_AEAD_CHACHA20_POLY1305_DECRYPT
+}
+mbedtls_aead_chacha20_poly1305_mode_t;
+
+typedef struct
+{
+ mbedtls_chacha20_context chacha20_ctx; /** ChaCha20 context */
+ mbedtls_poly1305_context poly1305_ctx; /** Poly1305 context */
+ uint64_t aad_len; /** Length (bytes) of the Additional Authenticated Data */
+ uint64_t ciphertext_len; /** Length (bytes) of the ciphertext */
+ int state; /** Current state of the context */
+ mbedtls_aead_chacha20_poly1305_mode_t mode; /** Cipher mode (encrypt or decrypt) */
+}
+mbedtls_aead_chacha20_poly1305_context;
+
+/**
+ * \brief Initialize ChaCha20-Poly1305 context
+ *
+ * \param ctx ChaCha20-Poly1305 context to be initialized
+ */
+void mbedtls_aead_chacha20_poly1305_init( mbedtls_aead_chacha20_poly1305_context *ctx );
+
+/**
+ * \brief Clear ChaCha20-Poly1305 context
+ *
+ * \param ctx ChaCha20-Poly1305 context to be cleared
+ */
+void mbedtls_aead_chacha20_poly1305_free( mbedtls_aead_chacha20_poly1305_context *ctx );
+
+/**
+ * \brief Set the ChaCha20-Poly1305 symmetric encryption key.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ * \param key The 256-bit (32 bytes) key.
+ *
+ * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
+ * if \p ctx or \p key are NULL.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_aead_chacha20_poly1305_setkey( mbedtls_aead_chacha20_poly1305_context *ctx,
+ const unsigned char key[32] );
+
+/**
+ * \brief Setup ChaCha20-Poly1305 context for encryption or decryption.
+ *
+ * \note If the context is being used for AAD only (no data to
+ * encrypt or decrypt) then \p mode can be set to any value.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ * \param nonce The nonce/IV to use for the message. This must be unique
+ * for every message encrypted under the same key.
+ * \param mode Specifies whether the context is used to encrypt or
+ * decrypt data.
+ *
+ * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
+ * if \p ctx or \p mac are NULL.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_aead_chacha20_poly1305_starts( mbedtls_aead_chacha20_poly1305_context *ctx,
+ const unsigned char nonce[12],
+ mbedtls_aead_chacha20_poly1305_mode_t mode );
+
+/**
+ * \brief Process additional authenticated data (AAD).
+ *
+ * This function processes data that is authenticated, but
+ * not encrypted.
+ *
+ * \note This function is called before data is encrypted/decrypted.
+ * I.e. call this function to process the AAD before calling
+ * mbedtls_aead_chacha20_poly1305_update.
+ *
+ * You may call this function multiple times to process
+ * an arbitrary amount of AAD. It is permitted to call
+ * this function 0 times, if no AAD is used.
+ *
+ * This function cannot be called any more if data has
+ * been processed by mbedtls_aead_chacha20_poly1305_update,
+ * or if the context has been finished.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ * \param aad_len The length (in bytes) of the AAD. The length has no
+ * restrictions.
+ * \param aad Buffer containing the AAD.
+ *
+ * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
+ * if \p ctx or \p aad are NULL.
+ * MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE is returned if
+ * the context has not been setup, the context has been
+ * finished, or if the AAD has been finished.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_aead_chacha20_poly1305_update_aad( mbedtls_aead_chacha20_poly1305_context *ctx,
+ size_t aad_len,
+ const unsigned char *aad );
+
+/**
+ * \brief Encrypt/decrypt data.
+ *
+ * The direction (encryption or decryption) depends on the
+ * mode that was given when calling
+ * mbedtls_aead_chacha20_poly1305_starts.
+ *
+ * You may call this function multiple times to process
+ * an arbitrary amount of data. It is permitted to call
+ * this function 0 times, if no data is to be encrypted
+ * or decrypted.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ * \param len The length (in bytes) of the data to encrypt or decrypt.
+ * \param input Buffer containing the data to encrypt or decrypt.
+ * \param output Buffer to where the encrypted or decrypted data is written.
+ *
+ * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
+ * if \p ctx, \p input, or \p output are NULL.
+ * MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE is returned if
+ * the context has not been setup, or if the context has been
+ * finished.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_aead_chacha20_poly1305_update( mbedtls_aead_chacha20_poly1305_context *ctx,
+ size_t len,
+ const unsigned char *input,
+ unsigned char *output );
+
+/**
+ * \brief Compute the ChaCha20-Poly1305 MAC.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ * \param mac Buffer to where the 128-bit (16 bytes) MAC is written.
+ *
+ * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
+ * if \p ctx or \p mac are NULL.
+ * MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE is returned if
+ * the context has not been setup.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_aead_chacha20_poly1305_finish( mbedtls_aead_chacha20_poly1305_context *ctx,
+ unsigned char mac[16] );
+
+#else /* !MBEDTLS_AEAD_CHACHA20_POLY1305_ALT */
+#include "aead_chacha20_poly1305_alt.h"
+#endif /* !MBEDTLS_AEAD_CHACHA20_POLY1305_ALT */
+
+/**
+ * \brief Encrypt or decrypt data, and produce a MAC with ChaCha20-Poly1305.
+ *
+ * \param key The 256-bit (32 bytes) encryption key to use.
+ * \param nonce The 96-bit (12 bytes) nonce/IV to use.
+ * \param mode Specifies whether the data in the \p input buffer is to
+ * be encrypted or decrypted. If there is no data to encrypt
+ * or decrypt (i.e. \p ilen is 0) then the value of this
+ * parameter does not matter.
+ * \param aad_len The length (in bytes) of the AAD data to process.
+ * \param aad Buffer containing the additional authenticated data (AAD).
+ * \param ilen The length (in bytes) of the data to encrypt or decrypt.
+ * \param input Buffer containing the data to encrypt or decrypt.
+ * \param output Buffer to where the encrypted or decrypted data is written.
+ * \param mac Buffer to where the computed 128-bit (16 bytes) MAC is written.
+ *
+ * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
+ * if one or more of the required parameters are NULL.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_aead_chacha20_poly1305_crypt_and_mac( const unsigned char key[32],
+ const unsigned char nonce[12],
+ mbedtls_aead_chacha20_poly1305_mode_t mode,
+ size_t aad_len,
+ const unsigned char *aad,
+ size_t ilen,
+ const unsigned char *input,
+ unsigned char *output,
+ unsigned char mac[16] );
+
+/**
+ * \brief Checkup routine
+ *
+ * \return 0 if successful, or 1 if the test failed
+ */
+int mbedtls_aead_chacha20_poly1305_self_test( int verbose );
+
+#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_H */
diff --git a/include/mbedtls/chacha20.h b/include/mbedtls/chacha20.h
index d23618e..ab87f66 100644
--- a/include/mbedtls/chacha20.h
+++ b/include/mbedtls/chacha20.h
@@ -100,6 +100,27 @@
uint32_t counter );
/**
+ * \brief Generates a block of keystream bytes for a specific counter value.
+ *
+ * This function uses the key and nonce previously set in
+ * the context (via mbedtls_chacha20_setkey and
+ * mbedtls_chacha20_starts), but ignores the previously
+ * set counter and uses the counter given as the parameter to
+ * this function.
+ *
+ * \param ctx The ChaCha20 context. This context is not modified.
+ * \param counter The counter value to use.
+ * \param keystream Buffer to where the generated keystream bytes are written.
+ *
+ * \return MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or keystream are
+ * NULL.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_chacha20_keystream_block( const mbedtls_chacha20_context *ctx,
+ uint32_t counter,
+ unsigned char keystream[64] );
+
+/**
* \brief Encrypt or decrypt data.
*
* This function is used to both encrypt and decrypt data.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 7d0960a..22d465c 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -269,6 +269,7 @@
* digests and ciphers instead.
*
*/
+//#define MBEDTLS_AEAD_CHACHA20_POLY1305_ALT
//#define MBEDTLS_AES_ALT
//#define MBEDTLS_ARC4_ALT
//#define MBEDTLS_BLOWFISH_ALT
@@ -1689,6 +1690,17 @@
#define MBEDTLS_AES_C
/**
+ * \def MBEDTLS_AEAD_CHACHA20_POLY1305_C
+ *
+ * Enable the ChaCha20-Poly1305 AEAD algorithm.
+ *
+ * Module: library/aead_chacha20_poly1305.c
+ *
+ * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
+ */
+#define MBEDTLS_AEAD_CHACHA20_POLY1305_C
+
+/**
* \def MBEDTLS_ARC4_C
*
* Enable the ARCFOUR stream cipher.
@@ -1838,6 +1850,16 @@
#define MBEDTLS_CAMELLIA_C
/**
+ * \def MBEDTLS_CHACHA20_C
+ *
+ * Enable the ChaCha20 block cipher.
+ *
+ * Module: library/chacha20.c
+ * Caller: library/aead_chacha20_poly1305.c
+ */
+#define MBEDTLS_CHACHA20_C
+
+/**
* \def MBEDTLS_CCM_C
*
* Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
@@ -2405,6 +2427,7 @@
* Enable the Poly1305 MAC algorithm.
*
* Module: library/poly1305.c
+ * Caller: library/aead_chacha20_poly1305.c
*/
#define MBEDTLS_POLY1305_C
diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h
index feeda79..72b7f18 100644
--- a/include/mbedtls/error.h
+++ b/include/mbedtls/error.h
@@ -78,6 +78,7 @@
* SHA512 1 0x0039-0x0039
* CHACHA20 1 0x003B-0x003B
* POLY1305 1 0x0041-0x0041
+ * AEAD_CHACHA20_POLY1305 2 0x0047-0x0049
*
* High-level module nr (3 bits - 0x0...-0x7...)
* Name ID Nr of Errors
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 251b6c6..b8f663d 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -3,6 +3,7 @@
option(LINK_WITH_PTHREAD "Explicitly link mbed TLS library to pthread." OFF)
set(src_crypto
+ aead_chacha20_poly1305.c
aes.c
aesni.c
arc4.c
diff --git a/library/Makefile b/library/Makefile
index 5fd693b..de4bd5c 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -47,7 +47,8 @@
DLEXT=dll
endif
-OBJS_CRYPTO= aes.o aesni.o arc4.o \
+OBJS_CRYPTO= aead_chacha20_poly1305.o \
+ aes.o aesni.o arc4.o \
asn1parse.o asn1write.o base64.o \
bignum.o blowfish.o camellia.o \
ccm.o chacha20.o \
diff --git a/library/aead_chacha20_poly1305.c b/library/aead_chacha20_poly1305.c
new file mode 100644
index 0000000..ab29dfa
--- /dev/null
+++ b/library/aead_chacha20_poly1305.c
@@ -0,0 +1,463 @@
+/**
+ * \file aead_chacha20_poly1305.c
+ *
+ * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
+ *
+ * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
+
+#include "mbedtls/aead_chacha20_poly1305.h"
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_AEAD_CHACHA20_POLY1305_ALT)
+
+#define AEAD_CHACHA20_POLY1305_STATE_INIT ( 0 )
+#define AEAD_CHACHA20_POLY1305_STATE_AAD ( 1 )
+#define AEAD_CHACHA20_POLY1305_STATE_CIPHERTEXT ( 2 ) /* Encrypting or decrypting */
+#define AEAD_CHACHA20_POLY1305_STATE_FINISHED ( 3 )
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+ volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/**
+ * \brief Adds padding bytes (zeroes) to pad the AAD for Poly1305.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ */
+static void mbedtls_aead_chacha20_poly1305_pad_aad( mbedtls_aead_chacha20_poly1305_context *ctx )
+{
+ uint32_t partial_block_len = (uint32_t)( ctx->aad_len % 16U );
+ unsigned char zeroes[15];
+
+ if ( partial_block_len > 0U )
+ {
+ memset( zeroes, 0, sizeof(zeroes) );
+ (void)mbedtls_poly1305_update( &ctx->poly1305_ctx,
+ 16U - partial_block_len,
+ zeroes );
+ }
+}
+
+/**
+ * \brief Adds padding bytes (zeroes) to pad the ciphertext for Poly1305.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ */
+static void mbedtls_aead_chacha20_poly1305_pad_ciphertext( mbedtls_aead_chacha20_poly1305_context *ctx )
+{
+ uint32_t partial_block_len = (uint32_t)( ctx->ciphertext_len % 16U );
+ unsigned char zeroes[15];
+
+ if ( partial_block_len > 0U )
+ {
+ memset( zeroes, 0, sizeof(zeroes) );
+ (void)mbedtls_poly1305_update( &ctx->poly1305_ctx,
+ 16U - partial_block_len,
+ zeroes );
+ }
+}
+
+void mbedtls_aead_chacha20_poly1305_init( mbedtls_aead_chacha20_poly1305_context *ctx )
+{
+ if ( ctx != NULL )
+ {
+ mbedtls_chacha20_init( &ctx->chacha20_ctx );
+ mbedtls_poly1305_init( &ctx->poly1305_ctx );
+ ctx->aad_len = 0U;
+ ctx->ciphertext_len = 0U;
+ ctx->state = AEAD_CHACHA20_POLY1305_STATE_INIT;
+ ctx->mode = MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT;
+ }
+}
+
+void mbedtls_aead_chacha20_poly1305_free( mbedtls_aead_chacha20_poly1305_context *ctx )
+{
+ if ( ctx != NULL )
+ {
+ mbedtls_chacha20_free( &ctx->chacha20_ctx );
+ mbedtls_poly1305_free( &ctx->poly1305_ctx );
+ ctx->aad_len = 0U;
+ ctx->ciphertext_len = 0U;
+ ctx->state = AEAD_CHACHA20_POLY1305_STATE_INIT;
+ ctx->mode = MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT;
+ }
+}
+
+int mbedtls_aead_chacha20_poly1305_setkey( mbedtls_aead_chacha20_poly1305_context *ctx,
+ const unsigned char key[32] )
+{
+ int result;
+
+ if ( ( ctx == NULL ) || ( key == NULL ) )
+ {
+ return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA );
+ }
+
+ result = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key );
+
+ return( result );
+}
+
+int mbedtls_aead_chacha20_poly1305_starts( mbedtls_aead_chacha20_poly1305_context *ctx,
+ const unsigned char nonce[12],
+ mbedtls_aead_chacha20_poly1305_mode_t mode )
+{
+ int result;
+ unsigned char poly1305_key[64];
+
+ if ( ( ctx == NULL ) || ( nonce == NULL ) )
+ {
+ return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA );
+ }
+
+ result = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 1U );
+ if ( result != 0 )
+ goto cleanup;
+
+ /* Generate the Poly1305 key by getting the ChaCha20 keystream output with counter = 0.
+ * Only the first 256-bits (32 bytes) of the key is used for Poly1305.
+ * The other 256 bits are discarded.
+ */
+ result = mbedtls_chacha20_keystream_block( &ctx->chacha20_ctx, 0U, poly1305_key );
+ if ( result != 0 )
+ goto cleanup;
+
+ result = mbedtls_poly1305_setkey( &ctx->poly1305_ctx, poly1305_key );
+
+ if ( result == 0 )
+ {
+ ctx->aad_len = 0U;
+ ctx->ciphertext_len = 0U;
+ ctx->state = AEAD_CHACHA20_POLY1305_STATE_AAD;
+ ctx->mode = mode;
+ }
+
+cleanup:
+ mbedtls_zeroize( poly1305_key, 64U );
+ return( result );
+}
+
+int mbedtls_aead_chacha20_poly1305_update_aad( mbedtls_aead_chacha20_poly1305_context *ctx,
+ size_t aad_len,
+ const unsigned char *aad )
+{
+ if ( ( ctx == NULL ) || ( aad == NULL ) )
+ {
+ return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA );
+ }
+ else if ( ctx->state != AEAD_CHACHA20_POLY1305_STATE_AAD )
+ {
+ return (MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE );
+ }
+
+ ctx->aad_len += aad_len;
+
+ return ( mbedtls_poly1305_update( &ctx->poly1305_ctx, aad_len, aad ) );
+}
+
+int mbedtls_aead_chacha20_poly1305_update( mbedtls_aead_chacha20_poly1305_context *ctx,
+ size_t len,
+ const unsigned char *input,
+ unsigned char *output )
+{
+ if ( ( ctx == NULL ) || ( input == NULL ) || ( output == NULL ) )
+ {
+ return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA );
+ }
+ else if ( ( ctx->state != AEAD_CHACHA20_POLY1305_STATE_AAD ) &&
+ ( ctx->state != AEAD_CHACHA20_POLY1305_STATE_CIPHERTEXT ) )
+ {
+ return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE );
+ }
+
+ if ( ctx->state == AEAD_CHACHA20_POLY1305_STATE_AAD )
+ {
+ ctx->state = AEAD_CHACHA20_POLY1305_STATE_CIPHERTEXT;
+
+ mbedtls_aead_chacha20_poly1305_pad_aad( ctx );
+ }
+
+ ctx->ciphertext_len += len;
+
+ if ( ctx->mode == MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT )
+ {
+ /* Note: the following functions return an error only if one or more of
+ * the input pointers are NULL. Since we have checked their validity
+ * above, we can safety ignore the return value.
+ */
+ (void)mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
+ (void)mbedtls_poly1305_update( &ctx->poly1305_ctx, len, output );
+ }
+ else /* DECRYPT */
+ {
+ (void)mbedtls_poly1305_update( &ctx->poly1305_ctx, len, input );
+ (void)mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
+ }
+
+ return( 0 );
+}
+
+int mbedtls_aead_chacha20_poly1305_finish( mbedtls_aead_chacha20_poly1305_context *ctx,
+ unsigned char mac[16] )
+{
+ unsigned char len_block[16];
+
+ if ( ( ctx == NULL ) || ( mac == NULL ) )
+ {
+ return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA );
+ }
+ else if ( ctx->state == AEAD_CHACHA20_POLY1305_STATE_INIT )
+ {
+ return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE );
+ }
+
+ if ( ctx->state == AEAD_CHACHA20_POLY1305_STATE_AAD )
+ {
+ mbedtls_aead_chacha20_poly1305_pad_aad( ctx );
+ }
+ else if ( ctx->state == AEAD_CHACHA20_POLY1305_STATE_CIPHERTEXT )
+ {
+ mbedtls_aead_chacha20_poly1305_pad_ciphertext( ctx );
+ }
+
+ ctx->state = AEAD_CHACHA20_POLY1305_STATE_FINISHED;
+
+ /* The lengths of the AAD and ciphertext are processed by
+ * Poly1305 as the final 128-bit block, encoded as little-endian integers.
+ */
+ len_block[0] = (unsigned char)ctx->aad_len;
+ len_block[1] = (unsigned char)( ctx->aad_len >> 8 );
+ len_block[2] = (unsigned char)( ctx->aad_len >> 16 );
+ len_block[3] = (unsigned char)( ctx->aad_len >> 24 );
+ len_block[4] = (unsigned char)( ctx->aad_len >> 32 );
+ len_block[5] = (unsigned char)( ctx->aad_len >> 40 );
+ len_block[6] = (unsigned char)( ctx->aad_len >> 48 );
+ len_block[7] = (unsigned char)( ctx->aad_len >> 56 );
+ len_block[8] = (unsigned char)ctx->ciphertext_len;
+ len_block[9] = (unsigned char)( ctx->ciphertext_len >> 8 );
+ len_block[10] = (unsigned char)( ctx->ciphertext_len >> 16 );
+ len_block[11] = (unsigned char)( ctx->ciphertext_len >> 24 );
+ len_block[12] = (unsigned char)( ctx->ciphertext_len >> 32 );
+ len_block[13] = (unsigned char)( ctx->ciphertext_len >> 40 );
+ len_block[14] = (unsigned char)( ctx->ciphertext_len >> 48 );
+ len_block[15] = (unsigned char)( ctx->ciphertext_len >> 56 );
+
+ (void)mbedtls_poly1305_update( &ctx->poly1305_ctx, 16U, len_block );
+ (void)mbedtls_poly1305_finish( &ctx->poly1305_ctx, mac );
+
+ return( 0 );
+}
+
+#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_ALT */
+
+int mbedtls_aead_chacha20_poly1305_crypt_and_mac ( const unsigned char key[32],
+ const unsigned char nonce[12],
+ mbedtls_aead_chacha20_poly1305_mode_t mode,
+ size_t aad_len,
+ const unsigned char *aad,
+ size_t ilen,
+ const unsigned char *input,
+ unsigned char *output,
+ unsigned char mac[16] )
+{
+ mbedtls_aead_chacha20_poly1305_context ctx;
+ int result;
+
+ mbedtls_aead_chacha20_poly1305_init( &ctx );
+
+ result = mbedtls_aead_chacha20_poly1305_setkey( &ctx, key );
+ if ( result != 0 )
+ goto cleanup;
+
+ result = mbedtls_aead_chacha20_poly1305_starts( &ctx, nonce, mode );
+ if ( result != 0 )
+ goto cleanup;
+
+ result = mbedtls_aead_chacha20_poly1305_update_aad( &ctx, aad_len, aad );
+ if ( result != 0 )
+ goto cleanup;
+
+ result = mbedtls_aead_chacha20_poly1305_update( &ctx, ilen, input, output );
+ if ( result != 0 )
+ goto cleanup;
+
+ result = mbedtls_aead_chacha20_poly1305_finish( &ctx, mac );
+
+cleanup:
+ mbedtls_aead_chacha20_poly1305_free( &ctx );
+ return( result );
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_key[1][32] =
+{
+ {
+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
+ }
+};
+
+static const unsigned char test_nonce[1][12] =
+{
+ {
+ 0x07, 0x00, 0x00, 0x00, /* 32-bit common part */
+ 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 /* 64-bit IV */
+ }
+};
+
+static const unsigned char test_aad[1][12] =
+{
+ {
+ 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
+ 0xc4, 0xc5, 0xc6, 0xc7
+ }
+};
+
+static const size_t test_aad_len[1] =
+{
+ 12U
+};
+
+static const unsigned char test_input[1][114] =
+{
+ {
+ 0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
+ 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
+ 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
+ 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
+ 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
+ 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
+ 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
+ 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
+ 0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
+ 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
+ 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
+ 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
+ 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
+ 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
+ 0x74, 0x2e
+ }
+};
+
+static const unsigned char test_output[1][114] =
+{
+ {
+ 0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
+ 0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
+ 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
+ 0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
+ 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
+ 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
+ 0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
+ 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
+ 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
+ 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
+ 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
+ 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
+ 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
+ 0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
+ 0x61, 0x16
+ }
+};
+
+static const size_t test_input_len[1] =
+{
+ 114U
+};
+
+static const unsigned char test_mac[1][16] =
+{
+ {
+ 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
+ 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
+ }
+};
+
+int mbedtls_aead_chacha20_poly1305_self_test( int verbose )
+{
+ size_t i;
+ int result;
+ unsigned char output[200];
+ unsigned char mac[16];
+
+ for ( i = 0U; i < 1U; i++ )
+ {
+ result = mbedtls_aead_chacha20_poly1305_crypt_and_mac( test_key[i],
+ test_nonce[i],
+ MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT,
+ test_aad_len[i],
+ test_aad[i],
+ test_input_len[i],
+ test_input[i],
+ output,
+ mac );
+ if ( result != 0 )
+ {
+ if ( verbose != 0 )
+ {
+ mbedtls_printf( "ChaCha20-Poly1305 test %zi error code: %i\n", i, result );
+ }
+ return( -1 );
+ }
+
+ if ( memcmp( output, test_output[i], test_input_len[i] ) != 0 )
+ {
+ if ( verbose != 0 )
+ {
+ mbedtls_printf( "ChaCha20-Poly1305 test %zi failure (wrong output)\n", i );
+ }
+ return( -1 );
+ }
+
+ if ( memcmp( mac, test_mac[i], 16U ) != 0 )
+ {
+ if ( verbose != 0 )
+ {
+ mbedtls_printf( "ChaCha20-Poly1305 test %zi failure (wrong MAC)\n", i );
+ }
+ return( -1 );
+ }
+ }
+
+ return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_C */
diff --git a/library/chacha20.c b/library/chacha20.c
index 8206a3b..b20c7ad 100644
--- a/library/chacha20.c
+++ b/library/chacha20.c
@@ -134,46 +134,47 @@
* \param working_state This state is used as a temporary working area.
* \param keystream Generated keystream bytes are written to this buffer.
*/
-static void mbedtls_chacha20_block( mbedtls_chacha20_context *ctx,
+static void mbedtls_chacha20_block( const uint32_t initial_state[16],
+ uint32_t working_state[16],
unsigned char keystream[64] )
{
size_t i;
size_t offset;
- memcpy( ctx->working_state,
- ctx->initial_state,
- sizeof(ctx->initial_state) );
+ memcpy( working_state,
+ initial_state,
+ CHACHA20_BLOCK_SIZE_BYTES );
for ( i = 0U; i < 10U; i++ )
{
- mbedtls_chacha20_inner_block( ctx->working_state );
+ mbedtls_chacha20_inner_block( working_state );
}
- ctx->working_state[0] += ctx->initial_state[0];
- ctx->working_state[1] += ctx->initial_state[1];
- ctx->working_state[2] += ctx->initial_state[2];
- ctx->working_state[3] += ctx->initial_state[3];
- ctx->working_state[4] += ctx->initial_state[4];
- ctx->working_state[5] += ctx->initial_state[5];
- ctx->working_state[6] += ctx->initial_state[6];
- ctx->working_state[7] += ctx->initial_state[7];
- ctx->working_state[8] += ctx->initial_state[8];
- ctx->working_state[9] += ctx->initial_state[9];
- ctx->working_state[10] += ctx->initial_state[10];
- ctx->working_state[11] += ctx->initial_state[11];
- ctx->working_state[12] += ctx->initial_state[12];
- ctx->working_state[13] += ctx->initial_state[13];
- ctx->working_state[14] += ctx->initial_state[14];
- ctx->working_state[15] += ctx->initial_state[15];
+ working_state[0] += initial_state[0];
+ working_state[1] += initial_state[1];
+ working_state[2] += initial_state[2];
+ working_state[3] += initial_state[3];
+ working_state[4] += initial_state[4];
+ working_state[5] += initial_state[5];
+ working_state[6] += initial_state[6];
+ working_state[7] += initial_state[7];
+ working_state[8] += initial_state[8];
+ working_state[9] += initial_state[9];
+ working_state[10] += initial_state[10];
+ working_state[11] += initial_state[11];
+ working_state[12] += initial_state[12];
+ working_state[13] += initial_state[13];
+ working_state[14] += initial_state[14];
+ working_state[15] += initial_state[15];
for ( i = 0U; i < 16; i++ )
{
offset = i * 4U;
- keystream[offset ] = (unsigned char) ctx->working_state[i];
- keystream[offset + 1U] = (unsigned char)( ctx->working_state[i] >> 8 );
- keystream[offset + 2U] = (unsigned char)( ctx->working_state[i] >> 16 );
- keystream[offset + 3U] = (unsigned char)( ctx->working_state[i] >> 24 );
+ keystream[offset ] = (unsigned char) working_state[i];
+ keystream[offset + 1U] = (unsigned char)( working_state[i] >> 8 );
+ keystream[offset + 2U] = (unsigned char)( working_state[i] >> 16 );
+ keystream[offset + 3U] = (unsigned char)( working_state[i] >> 24 );
}
}
@@ -245,6 +246,43 @@
return( 0 );
}
+int mbedtls_chacha20_keystream_block( const mbedtls_chacha20_context *ctx,
+ uint32_t counter,
+ unsigned char keystream[64] )
+{
+ uint32_t initial_state[16];
+ uint32_t working_state[16];
+
+ if ( ( ctx == NULL ) || ( keystream == NULL ) )
+ {
+ return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ }
+
+ initial_state[0] = ctx->initial_state[0];
+ initial_state[1] = ctx->initial_state[1];
+ initial_state[2] = ctx->initial_state[2];
+ initial_state[3] = ctx->initial_state[3];
+ initial_state[4] = ctx->initial_state[4];
+ initial_state[5] = ctx->initial_state[5];
+ initial_state[6] = ctx->initial_state[6];
+ initial_state[7] = ctx->initial_state[7];
+ initial_state[8] = ctx->initial_state[8];
+ initial_state[9] = ctx->initial_state[9];
+ initial_state[10] = ctx->initial_state[10];
+ initial_state[11] = ctx->initial_state[11];
+ initial_state[12] = counter;
+ initial_state[13] = ctx->initial_state[13];
+ initial_state[14] = ctx->initial_state[14];
+ initial_state[15] = ctx->initial_state[15];
+
+ mbedtls_chacha20_block( initial_state, working_state, keystream );
+
+ mbedtls_zeroize( initial_state, sizeof(initial_state) );
+ mbedtls_zeroize( working_state, sizeof(working_state) );
+
+ return ( 0 );
+}
+
int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
size_t size,
const unsigned char *input,
@@ -271,7 +309,7 @@
/* Process full blocks */
while ( size >= CHACHA20_BLOCK_SIZE_BYTES )
{
- mbedtls_chacha20_block( ctx, &output[offset] );
+ mbedtls_chacha20_block( ctx->initial_state, ctx->working_state, &output[offset] );
for ( i = 0U; i < 64U; i += 8U )
{
@@ -288,14 +326,14 @@
/* Increment counter */
ctx->initial_state[CHACHA20_CTR_INDEX]++;
- offset += 64U;
- size -= 64U;
+ offset += CHACHA20_BLOCK_SIZE_BYTES;
+ size -= CHACHA20_BLOCK_SIZE_BYTES;
}
/* Last (partial) block */
if ( size > 0U )
{
- mbedtls_chacha20_block( ctx, ctx->keystream8 );
+ mbedtls_chacha20_block( ctx->initial_state, ctx->working_state, ctx->keystream8 );
for ( i = 0U; i < size; i++)
{
diff --git a/library/error.c b/library/error.c
index 12bd210..d0a75ca 100644
--- a/library/error.c
+++ b/library/error.c
@@ -41,6 +41,10 @@
#include <stdio.h>
+#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
+#include "mbedtls/aead_chacha20_poly1305.h"
+#endif
+
#if defined(MBEDTLS_AES_C)
#include "mbedtls/aes.h"
#endif
@@ -575,6 +579,13 @@
// Low level error codes
//
// BEGIN generated code
+#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
+ if( use_ret == -(MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA) )
+ mbedtls_snprintf( buf, buflen, "AEAD_CHACHA20_POLY1305 - Invalid input parameter(s)" );
+ if( use_ret == -(MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE) )
+ mbedtls_snprintf( buf, buflen, "AEAD_CHACHA20_POLY1305 - The requested operation is not permitted in the current state" );
+#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_C */
+
#if defined(MBEDTLS_AES_C)
if( use_ret == -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH) )
mbedtls_snprintf( buf, buflen, "AES - Invalid key length" );
diff --git a/library/version_features.c b/library/version_features.c
index babf2c7..64aa9f6 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -516,6 +516,9 @@
#if defined(MBEDTLS_AES_C)
"MBEDTLS_AES_C",
#endif /* MBEDTLS_AES_C */
+#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
+ "MBEDTLS_AEAD_CHACHA20_POLY1305_C",
+#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_C */
#if defined(MBEDTLS_ARC4_C)
"MBEDTLS_ARC4_C",
#endif /* MBEDTLS_ARC4_C */
diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl
index 1dac39b..b5d1413 100755
--- a/scripts/generate_errors.pl
+++ b/scripts/generate_errors.pl
@@ -29,7 +29,7 @@
my $error_format_file = $data_dir.'/error.fmt';
-my @low_level_modules = qw( AES ARC4 ASN1 BASE64 BIGNUM BLOWFISH
+my @low_level_modules = qw( AEAD_CHACHA20_POLY1305 AES ARC4 ASN1 BASE64 BIGNUM BLOWFISH
CAMELLIA CCM CHACHA20 CMAC CTR_DRBG DES
ENTROPY GCM HMAC_DRBG MD2 MD4 MD5
NET OID PADLOCK PBKDF2 POLY1305 RIPEMD160
@@ -88,6 +88,7 @@
$module_name = "BIGNUM" if ($module_name eq "MPI");
$module_name = "CTR_DRBG" if ($module_name eq "CTR");
$module_name = "HMAC_DRBG" if ($module_name eq "HMAC");
+ $module_name = "AEAD_CHACHA20_POLY1305" if ($module_name eq "AEAD");
my $define_name = $module_name;
$define_name = "X509_USE,X509_CREATE" if ($define_name eq "X509");
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 82f1554..03797ec 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -44,6 +44,7 @@
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX-")
endif(MSVC)
+add_test_suite(aead_chacha20_poly1305)
add_test_suite(aes aes.ecb)
add_test_suite(aes aes.cbc)
add_test_suite(aes aes.cfb)
diff --git a/tests/Makefile b/tests/Makefile
index 90b2028..4a23e64 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -45,7 +45,8 @@
LOCAL_LDFLAGS += -lz
endif
-APPS = test_suite_aes.ecb$(EXEXT) test_suite_aes.cbc$(EXEXT) \
+APPS = test_suite_aead_chacha20_poly1305$(EXEXT) \
+ test_suite_aes.ecb$(EXEXT) test_suite_aes.cbc$(EXEXT) \
test_suite_aes.cfb$(EXEXT) test_suite_aes.rest$(EXEXT) \
test_suite_arc4$(EXEXT) test_suite_asn1write$(EXEXT) \
test_suite_base64$(EXEXT) test_suite_blowfish$(EXEXT) \
@@ -203,6 +204,11 @@
echo " Gen $@"
perl scripts/generate_code.pl suites $* $*
+
+test_suite_aead_chacha20_poly1305$(EXEXT): test_suite_aead_chacha20_poly1305.c $(DEP)
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
test_suite_aes.ecb$(EXEXT): test_suite_aes.ecb.c $(DEP)
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
diff --git a/tests/suites/test_suite_aead_chacha20_poly1305.data b/tests/suites/test_suite_aead_chacha20_poly1305.data
new file mode 100644
index 0000000..1cbfa24
--- /dev/null
+++ b/tests/suites/test_suite_aead_chacha20_poly1305.data
@@ -0,0 +1,19 @@
+ChaCha20-Poly1305 RFC 7539 Example and Test Vector (Encrypt)
+depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C
+mbedtls_aead_chacha20_poly1305_enc:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"1ae10b594f09e26a7e902ecbd0600691"
+
+ChaCha20-Poly1305 RFC 7539 Example and Test Vector (Encrypt)
+depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C
+mbedtls_aead_chacha20_poly1305_dec:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"1ae10b594f09e26a7e902ecbd0600691"
+
+ChaCha20-Poly1305 RFC 7539 Test Vector #1 (Encrypt)
+depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C
+mbedtls_aead_chacha20_poly1305_enc:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"eead9d67890cbb22392336fea1851f38"
+
+ChaCha20-Poly1305 RFC 7539 Test Vector #1 (Decrypt)
+depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C
+mbedtls_aead_chacha20_poly1305_dec:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"eead9d67890cbb22392336fea1851f38"
+
+ChaCha20-Poly1305 Selftest
+depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C:MBEDTLS_SELF_TEST
+aead_chacha20_poly1305_selftest:
diff --git a/tests/suites/test_suite_aead_chacha20_poly1305.function b/tests/suites/test_suite_aead_chacha20_poly1305.function
new file mode 100644
index 0000000..6abd054
--- /dev/null
+++ b/tests/suites/test_suite_aead_chacha20_poly1305.function
@@ -0,0 +1,109 @@
+/* BEGIN_HEADER */
+#include "mbedtls/aead_chacha20_poly1305.h"
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void mbedtls_aead_chacha20_poly1305_enc( char *hex_key_string, char *hex_nonce_string, char *hex_aad_string, char *hex_input_string, char *hex_output_string, char *hex_mac_string )
+{
+ unsigned char key_str[32];
+ unsigned char nonce_str[12];
+ unsigned char aad_str[10000];
+ unsigned char input_str[10000];
+ unsigned char output_str[10000];
+ unsigned char mac_str[16];
+ unsigned char output[10000];
+ unsigned char mac[16];
+ size_t input_len;
+ size_t output_len;
+ size_t aad_len;
+ size_t key_len;
+ size_t nonce_len;
+ size_t mac_len;
+
+ memset( key_str, 0x00, 32 );
+ memset( nonce_str, 0x00, 12 );
+ memset( aad_str, 0x00, 10000 );
+ memset( input_str, 0x00, 10000 );
+ memset( output_str, 0x00, 10000 );
+ memset( mac_str, 0x00, 16 );
+
+ aad_len = unhexify( aad_str, hex_aad_string );
+ input_len = unhexify( input_str, hex_input_string );
+ output_len = unhexify( output_str, hex_output_string );
+ key_len = unhexify( key_str, hex_key_string );
+ nonce_len = unhexify( nonce_str, hex_nonce_string );
+ mac_len = unhexify( mac_str, hex_mac_string );
+
+ TEST_ASSERT( key_len == 32 );
+ TEST_ASSERT( nonce_len == 12 );
+ TEST_ASSERT( mac_len == 16 );
+
+ mbedtls_aead_chacha20_poly1305_crypt_and_mac( key_str, nonce_str,
+ MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT,
+ aad_len, aad_str,
+ input_len, input_str, output,
+ mac );
+
+ TEST_ASSERT( memcmp( output_str, output, output_len ) == 0 );
+ TEST_ASSERT( memcmp( mac_str, mac, 16U ) == 0 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_aead_chacha20_poly1305_dec( char *hex_key_string, char *hex_nonce_string, char *hex_aad_string, char *hex_input_string, char *hex_output_string, char *hex_mac_string )
+{
+ unsigned char key_str[32];
+ unsigned char nonce_str[12];
+ unsigned char aad_str[10000];
+ unsigned char input_str[10000];
+ unsigned char output_str[10000];
+ unsigned char mac_str[16];
+ unsigned char output[10000];
+ unsigned char mac[16];
+ size_t input_len;
+ size_t output_len;
+ size_t aad_len;
+ size_t key_len;
+ size_t nonce_len;
+ size_t mac_len;
+
+ memset( key_str, 0x00, 32 );
+ memset( nonce_str, 0x00, 12 );
+ memset( aad_str, 0x00, 10000 );
+ memset( input_str, 0x00, 10000 );
+ memset( output_str, 0x00, 10000 );
+ memset( mac_str, 0x00, 16 );
+
+ aad_len = unhexify( aad_str, hex_aad_string );
+ input_len = unhexify( input_str, hex_input_string );
+ output_len = unhexify( output_str, hex_output_string );
+ key_len = unhexify( key_str, hex_key_string );
+ nonce_len = unhexify( nonce_str, hex_nonce_string );
+ mac_len = unhexify( mac_str, hex_mac_string );
+
+ TEST_ASSERT( key_len == 32 );
+ TEST_ASSERT( nonce_len == 12 );
+ TEST_ASSERT( mac_len == 16 );
+
+ mbedtls_aead_chacha20_poly1305_crypt_and_mac( key_str, nonce_str,
+ MBEDTLS_AEAD_CHACHA20_POLY1305_DECRYPT,
+ aad_len, aad_str,
+ input_len, input_str, output,
+ mac );
+
+ TEST_ASSERT( memcmp( output_str, output, output_len ) == 0 );
+ TEST_ASSERT( memcmp( mac_str, mac, 16U ) == 0 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
+void aead_chacha20_poly1305_selftest()
+{
+ TEST_ASSERT( mbedtls_aead_chacha20_poly1305_self_test( 1 ) == 0 );
+}
+/* END_CASE */