Implement AEAD-ChaCha20-Poly1305.
This implementation is based off the description in RFC 7539.
The ChaCha20 code is also updated to provide a means of generating
keystream blocks with arbitrary counter values. This is used to
generated the one-time Poly1305 key in the AEAD construction.
diff --git a/include/mbedtls/aead_chacha20_poly1305.h b/include/mbedtls/aead_chacha20_poly1305.h
new file mode 100644
index 0000000..a1ccf31
--- /dev/null
+++ b/include/mbedtls/aead_chacha20_poly1305.h
@@ -0,0 +1,224 @@
+/**
+ * \file aead_chacha20_poly1305.h
+ *
+ * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
+ *
+ * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_AEAD_CHACHA20_POLY1305_H
+#define MBEDTLS_AEAD_CHACHA20_POLY1305_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if !defined(MBEDTLS_AEAD_CHACHA20_POLY1305_ALT)
+
+#include "chacha20.h"
+#include "poly1305.h"
+
+#define MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA -0x00047 /**< Invalid input parameter(s). */
+#define MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE -0x00049 /**< The requested operation is not permitted in the current state */
+
+typedef enum
+{
+ MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT,
+ MBEDTLS_AEAD_CHACHA20_POLY1305_DECRYPT
+}
+mbedtls_aead_chacha20_poly1305_mode_t;
+
+typedef struct
+{
+ mbedtls_chacha20_context chacha20_ctx; /** ChaCha20 context */
+ mbedtls_poly1305_context poly1305_ctx; /** Poly1305 context */
+ uint64_t aad_len; /** Length (bytes) of the Additional Authenticated Data */
+ uint64_t ciphertext_len; /** Length (bytes) of the ciphertext */
+ int state; /** Current state of the context */
+ mbedtls_aead_chacha20_poly1305_mode_t mode; /** Cipher mode (encrypt or decrypt) */
+}
+mbedtls_aead_chacha20_poly1305_context;
+
+/**
+ * \brief Initialize ChaCha20-Poly1305 context
+ *
+ * \param ctx ChaCha20-Poly1305 context to be initialized
+ */
+void mbedtls_aead_chacha20_poly1305_init( mbedtls_aead_chacha20_poly1305_context *ctx );
+
+/**
+ * \brief Clear ChaCha20-Poly1305 context
+ *
+ * \param ctx ChaCha20-Poly1305 context to be cleared
+ */
+void mbedtls_aead_chacha20_poly1305_free( mbedtls_aead_chacha20_poly1305_context *ctx );
+
+/**
+ * \brief Set the ChaCha20-Poly1305 symmetric encryption key.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ * \param key The 256-bit (32 bytes) key.
+ *
+ * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
+ * if \p ctx or \p key are NULL.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_aead_chacha20_poly1305_setkey( mbedtls_aead_chacha20_poly1305_context *ctx,
+ const unsigned char key[32] );
+
+/**
+ * \brief Setup ChaCha20-Poly1305 context for encryption or decryption.
+ *
+ * \note If the context is being used for AAD only (no data to
+ * encrypt or decrypt) then \p mode can be set to any value.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ * \param nonce The nonce/IV to use for the message. This must be unique
+ * for every message encrypted under the same key.
+ * \param mode Specifies whether the context is used to encrypt or
+ * decrypt data.
+ *
+ * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
+ * if \p ctx or \p mac are NULL.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_aead_chacha20_poly1305_starts( mbedtls_aead_chacha20_poly1305_context *ctx,
+ const unsigned char nonce[12],
+ mbedtls_aead_chacha20_poly1305_mode_t mode );
+
+/**
+ * \brief Process additional authenticated data (AAD).
+ *
+ * This function processes data that is authenticated, but
+ * not encrypted.
+ *
+ * \note This function is called before data is encrypted/decrypted.
+ * I.e. call this function to process the AAD before calling
+ * mbedtls_aead_chacha20_poly1305_update.
+ *
+ * You may call this function multiple times to process
+ * an arbitrary amount of AAD. It is permitted to call
+ * this function 0 times, if no AAD is used.
+ *
+ * This function cannot be called any more if data has
+ * been processed by mbedtls_aead_chacha20_poly1305_update,
+ * or if the context has been finished.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ * \param aad_len The length (in bytes) of the AAD. The length has no
+ * restrictions.
+ * \param aad Buffer containing the AAD.
+ *
+ * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
+ * if \p ctx or \p aad are NULL.
+ * MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE is returned if
+ * the context has not been setup, the context has been
+ * finished, or if the AAD has been finished.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_aead_chacha20_poly1305_update_aad( mbedtls_aead_chacha20_poly1305_context *ctx,
+ size_t aad_len,
+ const unsigned char *aad );
+
+/**
+ * \brief Encrypt/decrypt data.
+ *
+ * The direction (encryption or decryption) depends on the
+ * mode that was given when calling
+ * mbedtls_aead_chacha20_poly1305_starts.
+ *
+ * You may call this function multiple times to process
+ * an arbitrary amount of data. It is permitted to call
+ * this function 0 times, if no data is to be encrypted
+ * or decrypted.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ * \param len The length (in bytes) of the data to encrypt or decrypt.
+ * \param input Buffer containing the data to encrypt or decrypt.
+ * \param output Buffer to where the encrypted or decrypted data is written.
+ *
+ * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
+ * if \p ctx, \p input, or \p output are NULL.
+ * MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE is returned if
+ * the context has not been setup, or if the context has been
+ * finished.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_aead_chacha20_poly1305_update( mbedtls_aead_chacha20_poly1305_context *ctx,
+ size_t len,
+ const unsigned char *input,
+ unsigned char *output );
+
+/**
+ * \brief Compute the ChaCha20-Poly1305 MAC.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ * \param mac Buffer to where the 128-bit (16 bytes) MAC is written.
+ *
+ * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
+ * if \p ctx or \p mac are NULL.
+ * MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE is returned if
+ * the context has not been setup.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_aead_chacha20_poly1305_finish( mbedtls_aead_chacha20_poly1305_context *ctx,
+ unsigned char mac[16] );
+
+#else /* !MBEDTLS_AEAD_CHACHA20_POLY1305_ALT */
+#include "aead_chacha20_poly1305_alt.h"
+#endif /* !MBEDTLS_AEAD_CHACHA20_POLY1305_ALT */
+
+/**
+ * \brief Encrypt or decrypt data, and produce a MAC with ChaCha20-Poly1305.
+ *
+ * \param key The 256-bit (32 bytes) encryption key to use.
+ * \param nonce The 96-bit (12 bytes) nonce/IV to use.
+ * \param mode Specifies whether the data in the \p input buffer is to
+ * be encrypted or decrypted. If there is no data to encrypt
+ * or decrypt (i.e. \p ilen is 0) then the value of this
+ * parameter does not matter.
+ * \param aad_len The length (in bytes) of the AAD data to process.
+ * \param aad Buffer containing the additional authenticated data (AAD).
+ * \param ilen The length (in bytes) of the data to encrypt or decrypt.
+ * \param input Buffer containing the data to encrypt or decrypt.
+ * \param output Buffer to where the encrypted or decrypted data is written.
+ * \param mac Buffer to where the computed 128-bit (16 bytes) MAC is written.
+ *
+ * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
+ * if one or more of the required parameters are NULL.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_aead_chacha20_poly1305_crypt_and_mac( const unsigned char key[32],
+ const unsigned char nonce[12],
+ mbedtls_aead_chacha20_poly1305_mode_t mode,
+ size_t aad_len,
+ const unsigned char *aad,
+ size_t ilen,
+ const unsigned char *input,
+ unsigned char *output,
+ unsigned char mac[16] );
+
+/**
+ * \brief Checkup routine
+ *
+ * \return 0 if successful, or 1 if the test failed
+ */
+int mbedtls_aead_chacha20_poly1305_self_test( int verbose );
+
+#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_H */
diff --git a/include/mbedtls/chacha20.h b/include/mbedtls/chacha20.h
index d23618e..ab87f66 100644
--- a/include/mbedtls/chacha20.h
+++ b/include/mbedtls/chacha20.h
@@ -100,6 +100,27 @@
uint32_t counter );
/**
+ * \brief Generates a block of keystream bytes for a specific counter value.
+ *
+ * This function uses the key and nonce previously set in
+ * the context (via mbedtls_chacha20_setkey and
+ * mbedtls_chacha20_starts), but ignores the previously
+ * set counter and uses the counter given as the parameter to
+ * this function.
+ *
+ * \param ctx The ChaCha20 context. This context is not modified.
+ * \param counter The counter value to use.
+ * \param keystream Buffer to where the generated keystream bytes are written.
+ *
+ * \return MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or keystream are
+ * NULL.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_chacha20_keystream_block( const mbedtls_chacha20_context *ctx,
+ uint32_t counter,
+ unsigned char keystream[64] );
+
+/**
* \brief Encrypt or decrypt data.
*
* This function is used to both encrypt and decrypt data.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 7d0960a..22d465c 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -269,6 +269,7 @@
* digests and ciphers instead.
*
*/
+//#define MBEDTLS_AEAD_CHACHA20_POLY1305_ALT
//#define MBEDTLS_AES_ALT
//#define MBEDTLS_ARC4_ALT
//#define MBEDTLS_BLOWFISH_ALT
@@ -1689,6 +1690,17 @@
#define MBEDTLS_AES_C
/**
+ * \def MBEDTLS_AEAD_CHACHA20_POLY1305_C
+ *
+ * Enable the ChaCha20-Poly1305 AEAD algorithm.
+ *
+ * Module: library/aead_chacha20_poly1305.c
+ *
+ * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
+ */
+#define MBEDTLS_AEAD_CHACHA20_POLY1305_C
+
+/**
* \def MBEDTLS_ARC4_C
*
* Enable the ARCFOUR stream cipher.
@@ -1838,6 +1850,16 @@
#define MBEDTLS_CAMELLIA_C
/**
+ * \def MBEDTLS_CHACHA20_C
+ *
+ * Enable the ChaCha20 block cipher.
+ *
+ * Module: library/chacha20.c
+ * Caller: library/aead_chacha20_poly1305.c
+ */
+#define MBEDTLS_CHACHA20_C
+
+/**
* \def MBEDTLS_CCM_C
*
* Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
@@ -2405,6 +2427,7 @@
* Enable the Poly1305 MAC algorithm.
*
* Module: library/poly1305.c
+ * Caller: library/aead_chacha20_poly1305.c
*/
#define MBEDTLS_POLY1305_C
diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h
index feeda79..72b7f18 100644
--- a/include/mbedtls/error.h
+++ b/include/mbedtls/error.h
@@ -78,6 +78,7 @@
* SHA512 1 0x0039-0x0039
* CHACHA20 1 0x003B-0x003B
* POLY1305 1 0x0041-0x0041
+ * AEAD_CHACHA20_POLY1305 2 0x0047-0x0049
*
* High-level module nr (3 bits - 0x0...-0x7...)
* Name ID Nr of Errors