Initial implementation of ChaCha20
diff --git a/include/mbedtls/chacha20.h b/include/mbedtls/chacha20.h
new file mode 100644
index 0000000..ab10a96
--- /dev/null
+++ b/include/mbedtls/chacha20.h
@@ -0,0 +1,169 @@
+/**
+ * \file chacha20.h
+ *
+ * \brief ChaCha20 cipher.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ *
+ * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_CHACHA20_H
+#define MBEDTLS_CHACHA20_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+#include <stdint.h>
+#include <stddef.h>
+
+#define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA -0x003B /**< Invalid input parameter(s). */
+
+typedef struct
+{
+ uint32_t initial_state[16]; /*! Holds the initial state (before round operations) */
+ uint32_t working_state[16]; /*! Holds the working state (after round operations) */
+ uint8_t keystream8[64]; /*! Holds leftover keystream bytes */
+ size_t keystream_bytes_used; /*! Number of keystream bytes currently used */
+}
+mbedtls_chacha20_context;
+
+/**
+ * \brief Initialize ChaCha20 context
+ *
+ * \param ctx ChaCha20 context to be initialized
+ */
+void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx );
+
+/**
+ * \brief Clear ChaCha20 context
+ *
+ * \param ctx ChaCha20 context to be cleared
+ */
+void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx );
+
+/**
+ * \brief Set the ChaCha20 key.
+ *
+ * \note The nonce and counter must be set after calling this function,
+ * before data can be encrypted/decrypted. The nonce and
+ * counter are set by calling mbedtls_chacha20_starts.
+ *
+ * \see mbedtls_chacha20_starts
+ *
+ * \param ctx The context to setup.
+ * \param key Buffer containing the 256-bit key. Must be 32 bytes in length.
+ *
+ * \return MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA is returned if ctx or key
+ * is NULL, or if key_bits is not 128 or 256.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
+ const unsigned char key[32] );
+
+/**
+ * \brief Set the ChaCha20 nonce and initial counter value.
+ *
+ * \note A ChaCha20 context can be re-used with the same key by
+ * calling this function to change the nonce and/or initial
+ * counter value.
+ *
+ * \param ctx The ChaCha20 context.
+ * \param nonce Buffer containing the 96-bit nonce. Must be 12 bytes in size.
+ * \param counter Initial counter value to use. This is usually 0.
+ *
+ * \return MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA is returned if ctx or
+ * nonce is NULL.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
+ const unsigned char nonce[12],
+ uint32_t counter );
+
+/**
+ * \brief Encrypt or decrypt data.
+ *
+ * This function is used to both encrypt and decrypt data.
+ *
+ * \note The \p input and \p output buffers may overlap, but only
+ * if input >= output (i.e. only if input points ahead of
+ * the output pointer).
+ *
+ * \note mbedtls_chacha20_setkey and mbedtls_chacha20_starts must be
+ * called at least once to setup the context before this function
+ * can be called.
+ *
+ * \param ctx The ChaCha20 context.
+ * \param size The length (in bytes) to process. This can have any length.
+ * \param input Buffer containing the input data.
+ * \param output Buffer containing the output data.
+ *
+ * \return MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if the ctx, input, or
+ * output pointers are NULL.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_chacha20_process( mbedtls_chacha20_context *ctx,
+ size_t size,
+ const unsigned char *input,
+ unsigned char *output );
+
+#else /* MBEDTLS_CHACHA20_ALT */
+#include "chacha20_alt.h"
+#endif /* MBEDTLS_CHACHA20_ALT */
+
+/**
+ * \brief Encrypt or decrypt a message using ChaCha20.
+ *
+ * This function is used the same way for encrypting and
+ * decrypting data. It's not necessary to specify which
+ * operation is being performed.
+ *
+ * \note The \p input and \p output buffers may overlap, but only
+ * if input >= output (i.e. only if input points ahead of
+ * the output pointer).
+ *
+ * \param key Buffer containing the 256-bit key. Must be 32 bytes in length.
+ * \param nonce Buffer containing the 96-bit nonce. Must be 12 bytes in length.
+ * \param counter The initial counter value. This is usually 0.
+ * \param data_len The number of bytes to process.
+ * \param input Buffer containing the input data (data to encrypt or decrypt).
+ * \param output Buffer to where the processed data is written.
+ *
+ * \return MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if key, nonce, input,
+ * or output is NULL.
+ * Otherwise, 0 is returned to indicate success.
+ */
+int mbedtls_chacha20_crypt( const unsigned char key[32],
+ const unsigned char nonce[12],
+ uint32_t counter,
+ size_t data_len,
+ const unsigned char* input,
+ unsigned char* output );
+
+/**
+ * \brief Checkup routine
+ *
+ * \return 0 if successful, or 1 if the test failed
+ */
+int mbedtls_chacha20_self_test( int verbose );
+
+#endif /* MBEDTLS_CHACHA20_H */
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 7c9acb2..4c8fc3c 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -274,6 +274,7 @@
//#define MBEDTLS_BLOWFISH_ALT
//#define MBEDTLS_CAMELLIA_ALT
//#define MBEDTLS_CCM_ALT
+//#define MBEDTLS_CHACHA20_ALT
//#define MBEDTLS_CMAC_ALT
//#define MBEDTLS_DES_ALT
//#define MBEDTLS_DHM_ALT
@@ -1862,6 +1863,15 @@
#define MBEDTLS_CERTS_C
/**
+ * \def MBEDTLS_CHACHA20_C
+ *
+ * Enable the ChaCha20 stream cipher.
+ *
+ * Module: library/chacha20.c
+ */
+#define MBEDTLS_CHACHA20_C
+
+/**
* \def MBEDTLS_CIPHER_C
*
* Enable the generic cipher layer.
diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h
index 8b4d3a8..ace0c47 100644
--- a/include/mbedtls/error.h
+++ b/include/mbedtls/error.h
@@ -76,6 +76,7 @@
* SHA1 1 0x0035-0x0035
* SHA256 1 0x0037-0x0037
* SHA512 1 0x0039-0x0039
+ * CHACHA20 1 0x003B-0x003B
*
* High-level module nr (3 bits - 0x0...-0x7...)
* Name ID Nr of Errors
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 6177ca2..78bab7f 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -13,6 +13,7 @@
blowfish.c
camellia.c
ccm.c
+ chacha20.c
cipher.c
cipher_wrap.c
cmac.c
diff --git a/library/Makefile b/library/Makefile
index b155c72..4fab598 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -50,7 +50,8 @@
OBJS_CRYPTO= aes.o aesni.o arc4.o \
asn1parse.o asn1write.o base64.o \
bignum.o blowfish.o camellia.o \
- ccm.o cipher.o cipher_wrap.o \
+ ccm.o chacha20.o \
+ cipher.o cipher_wrap.o \
cmac.o ctr_drbg.o des.o \
dhm.o ecdh.o ecdsa.o \
ecjpake.o ecp.o \
diff --git a/library/chacha20.c b/library/chacha20.c
new file mode 100644
index 0000000..75fd9e9
--- /dev/null
+++ b/library/chacha20.c
@@ -0,0 +1,551 @@
+/**
+ * \file chacha20.c
+ *
+ * \brief ChaCha20 cipher.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ *
+ * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#include "mbedtls/chacha20.h"
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+#include <stddef.h>
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#define BYTES_TO_U32_LE( data, offset ) \
+ ( (uint32_t)data[offset] | \
+ (uint32_t)( (uint32_t)data[(offset) + 1] << 8 ) | \
+ (uint32_t)( (uint32_t)data[(offset) + 2] << 16 ) | \
+ (uint32_t)( (uint32_t)data[(offset) + 3] << 24 ) \
+ )
+
+#define ROTL32( value, amount ) ( (uint32_t)( value << amount ) | ( value >> ( 32 - amount ) ) )
+
+#define CHACHA20_CTR_INDEX ( 12U )
+
+#define CHACHA20_BLOCK_SIZE_BYTES ( 4U * 16U )
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+ volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/**
+ * \brief ChaCha20 quarter round operation.
+ *
+ * The quarter round is defined as follows (from RFC 7539):
+ * 1. a += b; d ^= a; d <<<= 16;
+ * 2. c += d; b ^= c; b <<<= 12;
+ * 3. a += b; d ^= a; d <<<= 8;
+ * 4. c += d; b ^= c; b <<<= 7;
+ *
+ * \param state ChaCha20 state to modify.
+ * \param a The index of 'a' in the state.
+ * \param b The index of 'b' in the state.
+ * \param c The index of 'c' in the state.
+ * \param d The index of 'd' in the state.
+ */
+static inline void mbedtls_chacha20_quarter_round( uint32_t state[16],
+ size_t a,
+ size_t b,
+ size_t c,
+ size_t d )
+{
+ /* a += b; d ^= a; d <<<= 16; */
+ state[a] += state[b];
+ state[d] ^= state[a];
+ state[d] = ROTL32( state[d], 16 );
+
+ /* c += d; b ^= c; b <<<= 12 */
+ state[c] += state[d];
+ state[b] ^= state[c];
+ state[b] = ROTL32( state[b], 12 );
+
+ /* a += b; d ^= a; d <<<= 8; */
+ state[a] += state[b];
+ state[d] ^= state[a];
+ state[d] = ROTL32( state[d], 8 );
+
+ /* c += d; b ^= c; b <<<= 7; */
+ state[c] += state[d];
+ state[b] ^= state[c];
+ state[b] = ROTL32( state[b], 7 );
+}
+
+/**
+ * \brief Perform the ChaCha20 inner block operation.
+ *
+ * This function performs two rounds: the column round and the
+ * diagonal round.
+ *
+ * \param state The ChaCha20 state to update.
+ */
+static void mbedtls_chacha20_inner_block( uint32_t state[16] )
+{
+ mbedtls_chacha20_quarter_round( state, 0, 4, 8, 12 );
+ mbedtls_chacha20_quarter_round( state, 1, 5, 9, 13 );
+ mbedtls_chacha20_quarter_round( state, 2, 6, 10, 14 );
+ mbedtls_chacha20_quarter_round( state, 3, 7, 11, 15 );
+
+ mbedtls_chacha20_quarter_round( state, 0, 5, 10, 15 );
+ mbedtls_chacha20_quarter_round( state, 1, 6, 11, 12 );
+ mbedtls_chacha20_quarter_round( state, 2, 7, 8, 13 );
+ mbedtls_chacha20_quarter_round( state, 3, 4, 9, 14 );
+}
+
+/**
+ * \brief Generates a keystream block.
+ *
+ * \param initial_state The initial ChaCha20 state (containing the key, nonce, counter).
+ * \param working_state This state is used as a temporary working area.
+ * \param keystream Generated keystream bytes are written to this buffer.
+ */
+static void mbedtls_chacha20_block( mbedtls_chacha20_context *ctx,
+ unsigned char keystream[64] )
+{
+ size_t i;
+ size_t offset;
+
+ memcpy( ctx->working_state,
+ ctx->initial_state,
+ sizeof(ctx->initial_state) );
+
+ for ( i = 0U; i < 10U; i++ )
+ {
+ mbedtls_chacha20_inner_block( ctx->working_state );
+ }
+
+ ctx->working_state[0] += ctx->initial_state[0];
+ ctx->working_state[1] += ctx->initial_state[1];
+ ctx->working_state[2] += ctx->initial_state[2];
+ ctx->working_state[3] += ctx->initial_state[3];
+ ctx->working_state[4] += ctx->initial_state[4];
+ ctx->working_state[5] += ctx->initial_state[5];
+ ctx->working_state[6] += ctx->initial_state[6];
+ ctx->working_state[7] += ctx->initial_state[7];
+ ctx->working_state[8] += ctx->initial_state[8];
+ ctx->working_state[9] += ctx->initial_state[9];
+ ctx->working_state[10] += ctx->initial_state[10];
+ ctx->working_state[11] += ctx->initial_state[11];
+ ctx->working_state[12] += ctx->initial_state[12];
+ ctx->working_state[13] += ctx->initial_state[13];
+ ctx->working_state[14] += ctx->initial_state[14];
+ ctx->working_state[15] += ctx->initial_state[15];
+
+ for ( i = 0U; i < 16; i++ )
+ {
+ offset = i * 4U;
+
+ keystream[offset ] = (unsigned char) ctx->working_state[i];
+ keystream[offset + 1U] = (unsigned char)( ctx->working_state[i] >> 8 );
+ keystream[offset + 2U] = (unsigned char)( ctx->working_state[i] >> 16 );
+ keystream[offset + 3U] = (unsigned char)( ctx->working_state[i] >> 24 );
+ }
+}
+
+void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx )
+{
+ if ( ctx != NULL )
+ {
+ mbedtls_zeroize( ctx->initial_state, sizeof( ctx->initial_state ) );
+ mbedtls_zeroize( ctx->working_state, sizeof( ctx->working_state ) );
+ mbedtls_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) );
+
+ /* Initially, there's no keystream bytes available */
+ ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+ }
+}
+
+void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx )
+{
+ if ( ctx != NULL )
+ {
+ mbedtls_zeroize( ctx, sizeof( mbedtls_chacha20_context ) );
+ }
+}
+
+int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
+ const unsigned char key[32] )
+{
+ if ( ( ctx == NULL ) || ( key == NULL ) )
+ {
+ return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ }
+
+ /* ChaCha20 constants - the string "expand 32-byte k" */
+ ctx->initial_state[0] = 0x61707865;
+ ctx->initial_state[1] = 0x3320646e;
+ ctx->initial_state[2] = 0x79622d32;
+ ctx->initial_state[3] = 0x6b206574;
+
+ /* Set key */
+ ctx->initial_state[4] = BYTES_TO_U32_LE( key, 0 );
+ ctx->initial_state[5] = BYTES_TO_U32_LE( key, 4 );
+ ctx->initial_state[6] = BYTES_TO_U32_LE( key, 8 );
+ ctx->initial_state[7] = BYTES_TO_U32_LE( key, 12 );
+ ctx->initial_state[8] = BYTES_TO_U32_LE( key, 16 );
+ ctx->initial_state[9] = BYTES_TO_U32_LE( key, 20 );
+ ctx->initial_state[10] = BYTES_TO_U32_LE( key, 24 );
+ ctx->initial_state[11] = BYTES_TO_U32_LE( key, 28 );
+
+ return( 0 );
+}
+
+int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
+ const unsigned char nonce[12],
+ uint32_t counter )
+{
+ if ( ( ctx == NULL ) || ( nonce == NULL ) )
+ {
+ return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ }
+
+ /* Counter */
+ ctx->initial_state[12] = counter;
+
+ /* Nonce */
+ ctx->initial_state[13] = BYTES_TO_U32_LE( nonce, 0 );
+ ctx->initial_state[14] = BYTES_TO_U32_LE( nonce, 4 );
+ ctx->initial_state[15] = BYTES_TO_U32_LE( nonce, 8 );
+
+ return( 0 );
+}
+
+int mbedtls_chacha20_process( mbedtls_chacha20_context *ctx,
+ size_t size,
+ const unsigned char *input,
+ unsigned char *output )
+{
+ size_t offset = 0U;
+ size_t i;
+
+ if ( ( ctx == NULL ) || ( input == NULL ) || ( output == NULL ) )
+ {
+ return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ }
+
+ /* Use leftover keystream bytes, if available */
+ while ( ( size > 0U ) && ( ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES ) )
+ {
+ output[offset] = input[offset] ^ ctx->keystream8[ctx->keystream_bytes_used];
+
+ ctx->keystream_bytes_used++;
+ offset++;
+ size--;
+ }
+
+ /* Process full blocks */
+ while ( size >= CHACHA20_BLOCK_SIZE_BYTES )
+ {
+ mbedtls_chacha20_block( ctx, &output[offset] );
+
+ for ( i = 0U; i < 64U; i += 8U )
+ {
+ output[offset + i ] ^= input[offset + i ];
+ output[offset + i + 1U] ^= input[offset + i + 1U];
+ output[offset + i + 2U] ^= input[offset + i + 2U];
+ output[offset + i + 3U] ^= input[offset + i + 3U];
+ output[offset + i + 4U] ^= input[offset + i + 4U];
+ output[offset + i + 5U] ^= input[offset + i + 5U];
+ output[offset + i + 6U] ^= input[offset + i + 6U];
+ output[offset + i + 7U] ^= input[offset + i + 7U];
+ }
+
+ /* Increment counter */
+ ctx->initial_state[CHACHA20_CTR_INDEX]++;
+
+ offset += 64U;
+ size -= 64U;
+ }
+
+ /* Last (partial) block */
+ if ( size > 0U )
+ {
+ mbedtls_chacha20_block( ctx, ctx->keystream8 );
+
+ for ( i = 0U; i < size; i++)
+ {
+ output[offset + i] = input[offset + i] ^ ctx->keystream8[i];
+ }
+
+ ctx->keystream_bytes_used = size;
+
+ /* Increment counter */
+ ctx->initial_state[CHACHA20_CTR_INDEX]++;
+ }
+
+ return 0;
+}
+
+#endif /* !MBEDTLS_CHACHA20_ALT */
+
+int mbedtls_chacha20_crypt( const unsigned char key[32],
+ const unsigned char nonce[12],
+ uint32_t counter,
+ size_t data_len,
+ const unsigned char* input,
+ unsigned char* output )
+{
+ mbedtls_chacha20_context ctx;
+ int result;
+
+ mbedtls_chacha20_init( &ctx );
+
+ result = mbedtls_chacha20_setkey( &ctx, key );
+ if ( result != 0 )
+ goto cleanup;
+
+ result = mbedtls_chacha20_starts( &ctx, nonce, counter );
+ if ( result != 0 )
+ goto cleanup;
+
+ result = mbedtls_chacha20_process( &ctx, data_len, input, output );
+
+cleanup:
+ mbedtls_chacha20_free( &ctx );
+ return result;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] =
+{
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ },
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
+ }
+};
+
+static const unsigned char test_nonces[2][12] =
+{
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00
+ },
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02
+ }
+};
+
+static const uint32_t test_counters[2] =
+{
+ 0U,
+ 1U
+};
+
+static const unsigned char test_input[2][375] =
+{
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ },
+ {
+ 0x41, 0x6e, 0x79, 0x20, 0x73, 0x75, 0x62, 0x6d,
+ 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x20, 0x74,
+ 0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x49, 0x45,
+ 0x54, 0x46, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x6e,
+ 0x64, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x74,
+ 0x68, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72,
+ 0x69, 0x62, 0x75, 0x74, 0x6f, 0x72, 0x20, 0x66,
+ 0x6f, 0x72, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69,
+ 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x61,
+ 0x73, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6f, 0x72,
+ 0x20, 0x70, 0x61, 0x72, 0x74, 0x20, 0x6f, 0x66,
+ 0x20, 0x61, 0x6e, 0x20, 0x49, 0x45, 0x54, 0x46,
+ 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
+ 0x74, 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x20,
+ 0x6f, 0x72, 0x20, 0x52, 0x46, 0x43, 0x20, 0x61,
+ 0x6e, 0x64, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x73,
+ 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+ 0x20, 0x6d, 0x61, 0x64, 0x65, 0x20, 0x77, 0x69,
+ 0x74, 0x68, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65,
+ 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
+ 0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x20, 0x49,
+ 0x45, 0x54, 0x46, 0x20, 0x61, 0x63, 0x74, 0x69,
+ 0x76, 0x69, 0x74, 0x79, 0x20, 0x69, 0x73, 0x20,
+ 0x63, 0x6f, 0x6e, 0x73, 0x69, 0x64, 0x65, 0x72,
+ 0x65, 0x64, 0x20, 0x61, 0x6e, 0x20, 0x22, 0x49,
+ 0x45, 0x54, 0x46, 0x20, 0x43, 0x6f, 0x6e, 0x74,
+ 0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e,
+ 0x22, 0x2e, 0x20, 0x53, 0x75, 0x63, 0x68, 0x20,
+ 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+ 0x74, 0x73, 0x20, 0x69, 0x6e, 0x63, 0x6c, 0x75,
+ 0x64, 0x65, 0x20, 0x6f, 0x72, 0x61, 0x6c, 0x20,
+ 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+ 0x74, 0x73, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x45,
+ 0x54, 0x46, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69,
+ 0x6f, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x73, 0x20,
+ 0x77, 0x65, 0x6c, 0x6c, 0x20, 0x61, 0x73, 0x20,
+ 0x77, 0x72, 0x69, 0x74, 0x74, 0x65, 0x6e, 0x20,
+ 0x61, 0x6e, 0x64, 0x20, 0x65, 0x6c, 0x65, 0x63,
+ 0x74, 0x72, 0x6f, 0x6e, 0x69, 0x63, 0x20, 0x63,
+ 0x6f, 0x6d, 0x6d, 0x75, 0x6e, 0x69, 0x63, 0x61,
+ 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6d, 0x61,
+ 0x64, 0x65, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e,
+ 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x6f,
+ 0x72, 0x20, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x2c,
+ 0x20, 0x77, 0x68, 0x69, 0x63, 0x68, 0x20, 0x61,
+ 0x72, 0x65, 0x20, 0x61, 0x64, 0x64, 0x72, 0x65,
+ 0x73, 0x73, 0x65, 0x64, 0x20, 0x74, 0x6f
+ }
+};
+
+static const unsigned char test_output[2][375] =
+{
+ {
+ 0x76, 0xb8, 0xe0, 0xad, 0xa0, 0xf1, 0x3d, 0x90,
+ 0x40, 0x5d, 0x6a, 0xe5, 0x53, 0x86, 0xbd, 0x28,
+ 0xbd, 0xd2, 0x19, 0xb8, 0xa0, 0x8d, 0xed, 0x1a,
+ 0xa8, 0x36, 0xef, 0xcc, 0x8b, 0x77, 0x0d, 0xc7,
+ 0xda, 0x41, 0x59, 0x7c, 0x51, 0x57, 0x48, 0x8d,
+ 0x77, 0x24, 0xe0, 0x3f, 0xb8, 0xd8, 0x4a, 0x37,
+ 0x6a, 0x43, 0xb8, 0xf4, 0x15, 0x18, 0xa1, 0x1c,
+ 0xc3, 0x87, 0xb6, 0x69, 0xb2, 0xee, 0x65, 0x86
+ },
+ {
+ 0xa3, 0xfb, 0xf0, 0x7d, 0xf3, 0xfa, 0x2f, 0xde,
+ 0x4f, 0x37, 0x6c, 0xa2, 0x3e, 0x82, 0x73, 0x70,
+ 0x41, 0x60, 0x5d, 0x9f, 0x4f, 0x4f, 0x57, 0xbd,
+ 0x8c, 0xff, 0x2c, 0x1d, 0x4b, 0x79, 0x55, 0xec,
+ 0x2a, 0x97, 0x94, 0x8b, 0xd3, 0x72, 0x29, 0x15,
+ 0xc8, 0xf3, 0xd3, 0x37, 0xf7, 0xd3, 0x70, 0x05,
+ 0x0e, 0x9e, 0x96, 0xd6, 0x47, 0xb7, 0xc3, 0x9f,
+ 0x56, 0xe0, 0x31, 0xca, 0x5e, 0xb6, 0x25, 0x0d,
+ 0x40, 0x42, 0xe0, 0x27, 0x85, 0xec, 0xec, 0xfa,
+ 0x4b, 0x4b, 0xb5, 0xe8, 0xea, 0xd0, 0x44, 0x0e,
+ 0x20, 0xb6, 0xe8, 0xdb, 0x09, 0xd8, 0x81, 0xa7,
+ 0xc6, 0x13, 0x2f, 0x42, 0x0e, 0x52, 0x79, 0x50,
+ 0x42, 0xbd, 0xfa, 0x77, 0x73, 0xd8, 0xa9, 0x05,
+ 0x14, 0x47, 0xb3, 0x29, 0x1c, 0xe1, 0x41, 0x1c,
+ 0x68, 0x04, 0x65, 0x55, 0x2a, 0xa6, 0xc4, 0x05,
+ 0xb7, 0x76, 0x4d, 0x5e, 0x87, 0xbe, 0xa8, 0x5a,
+ 0xd0, 0x0f, 0x84, 0x49, 0xed, 0x8f, 0x72, 0xd0,
+ 0xd6, 0x62, 0xab, 0x05, 0x26, 0x91, 0xca, 0x66,
+ 0x42, 0x4b, 0xc8, 0x6d, 0x2d, 0xf8, 0x0e, 0xa4,
+ 0x1f, 0x43, 0xab, 0xf9, 0x37, 0xd3, 0x25, 0x9d,
+ 0xc4, 0xb2, 0xd0, 0xdf, 0xb4, 0x8a, 0x6c, 0x91,
+ 0x39, 0xdd, 0xd7, 0xf7, 0x69, 0x66, 0xe9, 0x28,
+ 0xe6, 0x35, 0x55, 0x3b, 0xa7, 0x6c, 0x5c, 0x87,
+ 0x9d, 0x7b, 0x35, 0xd4, 0x9e, 0xb2, 0xe6, 0x2b,
+ 0x08, 0x71, 0xcd, 0xac, 0x63, 0x89, 0x39, 0xe2,
+ 0x5e, 0x8a, 0x1e, 0x0e, 0xf9, 0xd5, 0x28, 0x0f,
+ 0xa8, 0xca, 0x32, 0x8b, 0x35, 0x1c, 0x3c, 0x76,
+ 0x59, 0x89, 0xcb, 0xcf, 0x3d, 0xaa, 0x8b, 0x6c,
+ 0xcc, 0x3a, 0xaf, 0x9f, 0x39, 0x79, 0xc9, 0x2b,
+ 0x37, 0x20, 0xfc, 0x88, 0xdc, 0x95, 0xed, 0x84,
+ 0xa1, 0xbe, 0x05, 0x9c, 0x64, 0x99, 0xb9, 0xfd,
+ 0xa2, 0x36, 0xe7, 0xe8, 0x18, 0xb0, 0x4b, 0x0b,
+ 0xc3, 0x9c, 0x1e, 0x87, 0x6b, 0x19, 0x3b, 0xfe,
+ 0x55, 0x69, 0x75, 0x3f, 0x88, 0x12, 0x8c, 0xc0,
+ 0x8a, 0xaa, 0x9b, 0x63, 0xd1, 0xa1, 0x6f, 0x80,
+ 0xef, 0x25, 0x54, 0xd7, 0x18, 0x9c, 0x41, 0x1f,
+ 0x58, 0x69, 0xca, 0x52, 0xc5, 0xb8, 0x3f, 0xa3,
+ 0x6f, 0xf2, 0x16, 0xb9, 0xc1, 0xd3, 0x00, 0x62,
+ 0xbe, 0xbc, 0xfd, 0x2d, 0xc5, 0xbc, 0xe0, 0x91,
+ 0x19, 0x34, 0xfd, 0xa7, 0x9a, 0x86, 0xf6, 0xe6,
+ 0x98, 0xce, 0xd7, 0x59, 0xc3, 0xff, 0x9b, 0x64,
+ 0x77, 0x33, 0x8f, 0x3d, 0xa4, 0xf9, 0xcd, 0x85,
+ 0x14, 0xea, 0x99, 0x82, 0xcc, 0xaf, 0xb3, 0x41,
+ 0xb2, 0x38, 0x4d, 0xd9, 0x02, 0xf3, 0xd1, 0xab,
+ 0x7a, 0xc6, 0x1d, 0xd2, 0x9c, 0x6f, 0x21, 0xba,
+ 0x5b, 0x86, 0x2f, 0x37, 0x30, 0xe3, 0x7c, 0xfd,
+ 0xc4, 0xfd, 0x80, 0x6c, 0x22, 0xf2, 0x21
+ }
+};
+
+static const size_t test_lengths[2] =
+{
+ 64U,
+ 375U
+};
+
+int mbedtls_chacha20_self_test( int verbose )
+{
+ unsigned char output[381];
+ size_t i;
+ int result;
+
+ for ( i = 0U; i < 2U; i++ )
+ {
+ result = mbedtls_chacha20_crypt( test_keys[i],
+ test_nonces[i],
+ test_counters[i],
+ test_lengths[i],
+ test_input[i],
+ output );
+ if ( result != 0)
+ {
+ if ( verbose != 0 )
+ {
+ mbedtls_printf( "ChaCha20 test %zi error code: %i\n", i, result );
+ }
+
+ return( -1 );
+ }
+
+ if ( 0 != memcmp( output, test_output[i], test_lengths[i] ) )
+ {
+ if ( verbose != 0 )
+ {
+ mbedtls_printf( "ChaCha20 test %zi failed\n", i );
+ }
+
+ return( -1 );
+ }
+ }
+
+ return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* !MBEDTLS_CHACHA20_C */
diff --git a/library/error.c b/library/error.c
index 222d85b..2aaf359 100644
--- a/library/error.c
+++ b/library/error.c
@@ -69,6 +69,10 @@
#include "mbedtls/ccm.h"
#endif
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
#if defined(MBEDTLS_CIPHER_C)
#include "mbedtls/cipher.h"
#endif
@@ -653,6 +657,11 @@
mbedtls_snprintf( buf, buflen, "CCM - CCM hardware accelerator failed" );
#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHA20_C)
+ if( use_ret == -(MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA) )
+ mbedtls_snprintf( buf, buflen, "CHACHA20 - Invalid input parameter(s)" );
+#endif /* MBEDTLS_CHACHA20_C */
+
#if defined(MBEDTLS_CMAC_C)
if( use_ret == -(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED) )
mbedtls_snprintf( buf, buflen, "CMAC - CMAC hardware accelerator failed" );
diff --git a/library/version_features.c b/library/version_features.c
index a452caf..febd506 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -99,6 +99,9 @@
#if defined(MBEDTLS_CCM_ALT)
"MBEDTLS_CCM_ALT",
#endif /* MBEDTLS_CCM_ALT */
+#if defined(MBEDTLS_CHACHA20_ALT)
+ "MBEDTLS_CHACHA20_ALT",
+#endif /* MBEDTLS_CHACHA20_ALT */
#if defined(MBEDTLS_CMAC_ALT)
"MBEDTLS_CMAC_ALT",
#endif /* MBEDTLS_CMAC_ALT */
@@ -537,6 +540,9 @@
#if defined(MBEDTLS_CERTS_C)
"MBEDTLS_CERTS_C",
#endif /* MBEDTLS_CERTS_C */
+#if defined(MBEDTLS_CHACHA20_C)
+ "MBEDTLS_CHACHA20_C",
+#endif /* MBEDTLS_CHACHA20_C */
#if defined(MBEDTLS_CIPHER_C)
"MBEDTLS_CIPHER_C",
#endif /* MBEDTLS_CIPHER_C */
diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c
index cecf3e3..bc473cf 100644
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@@ -59,6 +59,7 @@
#include "mbedtls/aes.h"
#include "mbedtls/blowfish.h"
#include "mbedtls/camellia.h"
+#include "mbedtls/chacha20.h"
#include "mbedtls/gcm.h"
#include "mbedtls/ccm.h"
#include "mbedtls/cmac.h"
@@ -93,7 +94,7 @@
#define OPTIONS \
"md4, md5, ripemd160, sha1, sha256, sha512,\n" \
- "arc4, des3, des, camellia, blowfish,\n" \
+ "arc4, des3, des, camellia, blowfish, chacha20,\n" \
"aes_cbc, aes_gcm, aes_ccm, aes_cmac, des3_cmac,\n" \
"havege, ctr_drbg, hmac_drbg\n" \
"rsa, dhm, ecdsa, ecdh.\n"
@@ -229,7 +230,7 @@
char md4, md5, ripemd160, sha1, sha256, sha512,
arc4, des3, des,
aes_cbc, aes_gcm, aes_ccm, aes_cmac, des3_cmac,
- camellia, blowfish,
+ camellia, blowfish, chacha20,
havege, ctr_drbg, hmac_drbg,
rsa, dhm, ecdsa, ecdh;
} todo_list;
@@ -286,6 +287,8 @@
todo.camellia = 1;
else if( strcmp( argv[i], "blowfish" ) == 0 )
todo.blowfish = 1;
+ else if( strcmp( argv[i], "chacha20" ) == 0 )
+ todo.chacha20 = 1;
else if( strcmp( argv[i], "havege" ) == 0 )
todo.havege = 1;
else if( strcmp( argv[i], "ctr_drbg" ) == 0 )
@@ -520,6 +523,13 @@
}
#endif
+#if defined(MBEDTLS_CHACHA20_C)
+ if ( todo.chacha20 )
+ {
+ TIME_AND_TSC( "ChaCha20", mbedtls_chacha20_crypt( buf, buf, 0U, BUFSIZE, buf, buf ) );
+ }
+#endif
+
#if defined(MBEDTLS_BLOWFISH_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
if( todo.blowfish )
{
diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl
index ac0fbff..36ee60b 100755
--- a/scripts/generate_errors.pl
+++ b/scripts/generate_errors.pl
@@ -30,7 +30,7 @@
my $error_format_file = $data_dir.'/error.fmt';
my @low_level_modules = qw( AES ARC4 ASN1 BASE64 BIGNUM BLOWFISH
- CAMELLIA CCM CMAC CTR_DRBG DES
+ CAMELLIA CCM CHACHA20 CMAC CTR_DRBG DES
ENTROPY GCM HMAC_DRBG MD2 MD4 MD5
NET OID PADLOCK PBKDF2 RIPEMD160
SHA1 SHA256 SHA512 THREADING XTEA );
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 16e19a9..1525bc2 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -54,6 +54,7 @@
add_test_suite(blowfish)
add_test_suite(camellia)
add_test_suite(ccm)
+add_test_suite(chacha20)
add_test_suite(cipher cipher.aes)
add_test_suite(cipher cipher.arc4)
add_test_suite(cipher cipher.blowfish)
diff --git a/tests/Makefile b/tests/Makefile
index d85617f..233259b 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -50,7 +50,7 @@
test_suite_arc4$(EXEXT) test_suite_asn1write$(EXEXT) \
test_suite_base64$(EXEXT) test_suite_blowfish$(EXEXT) \
test_suite_camellia$(EXEXT) test_suite_ccm$(EXEXT) \
- test_suite_cmac$(EXEXT) \
+ test_suite_chacha20$(EXEXT) test_suite_cmac$(EXEXT) \
test_suite_cipher.aes$(EXEXT) \
test_suite_cipher.arc4$(EXEXT) test_suite_cipher.ccm$(EXEXT) \
test_suite_cipher.gcm$(EXEXT) \
@@ -237,6 +237,10 @@
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+test_suite_chacha20$(EXEXT): test_suite_chacha20.c $(DEP)
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
test_suite_cmac$(EXEXT): test_suite_cmac.c $(DEP)
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
diff --git a/tests/suites/test_suite_chacha20.data b/tests/suites/test_suite_chacha20.data
new file mode 100644
index 0000000..79f0408
--- /dev/null
+++ b/tests/suites/test_suite_chacha20.data
@@ -0,0 +1,2 @@
+ChaCha20 Selftest
+chacha20_self_test:
diff --git a/tests/suites/test_suite_chacha20.function b/tests/suites/test_suite_chacha20.function
new file mode 100644
index 0000000..2825a61
--- /dev/null
+++ b/tests/suites/test_suite_chacha20.function
@@ -0,0 +1,14 @@
+/* BEGIN_HEADER */
+#include "mbedtls/chacha20.h"
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_CHACHA20_C
+ * END_DEPENDENCIES
+ */
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
+void chacha20_self_test()
+{
+ TEST_ASSERT( mbedtls_chacha20_self_test( 0 ) == 0 );
+}
+/* END_CASE */
\ No newline at end of file