From 3e79c8ecfd6ee364ec48608133c793586114f4ec Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 6 May 2019 15:20:04 +0200 Subject: [PATCH] Declare ChaCha20 cipher and AEAD Declare algorithms for ChaCha20 and ChaCha20-Poly1305, and a corresponding (common) key type. Don't declare Poly1305 as a separate algorithm because it's a one-time authenticator, not a MAC, so the API isn't suitable for it (no way to use a nonce). --- include/psa/crypto_values.h | 27 +++++++++++++++++++ .../test_suite_psa_crypto_metadata.data | 12 +++++++++ 2 files changed, 39 insertions(+) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index d01367d05..9777ae90e 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -402,6 +402,15 @@ * legacy protocols. */ #define PSA_KEY_TYPE_ARC4 ((psa_key_type_t)0x40000004) +/** Key for the ChaCha20 stream cipher or the Chacha20-Poly1305 AEAD algorithm. + * + * ChaCha20 and the ChaCha20_Poly1305 construction are defined in RFC 7539. + * + * Implementations must support 12-byte nonces, may support 8-byte nonces, + * and should reject other sizes. + */ +#define PSA_KEY_TYPE_CHACHA20 ((psa_key_type_t)0x40000005) + /** RSA public key. */ #define PSA_KEY_TYPE_RSA_PUBLIC_KEY ((psa_key_type_t)0x60010000) /** RSA key pair (private and public key). */ @@ -836,6 +845,18 @@ */ #define PSA_ALG_ARC4 ((psa_algorithm_t)0x04800001) +/** The ChaCha20 stream cipher. + * + * ChaCha20 is defined in RFC 7539. + * + * The nonce size for psa_cipher_set_iv() or psa_cipher_generate_iv() + * must be 12. + * + * The initial block counter is always 0. + * + */ +#define PSA_ALG_CHACHA20 ((psa_algorithm_t)0x04800005) + /** The CTR stream cipher mode. * * CTR is a stream cipher which is built from a block cipher. @@ -900,6 +921,11 @@ /** The Chacha20-Poly1305 AEAD algorithm. * * The ChaCha20_Poly1305 construction is defined in RFC 7539. + * + * Implementations must support 12-byte nonces, may support 8-byte nonces, + * and should reject other sizes. + * + * Implementations must support 16-byte tags and should reject other sizes. */ #define PSA_ALG_CHACHA20_POLY1305 ((psa_algorithm_t)0x06001005) @@ -945,6 +971,7 @@ ( \ PSA__ALG_AEAD_WITH_DEFAULT_TAG_LENGTH__CASE(aead_alg, PSA_ALG_CCM) \ PSA__ALG_AEAD_WITH_DEFAULT_TAG_LENGTH__CASE(aead_alg, PSA_ALG_GCM) \ + PSA__ALG_AEAD_WITH_DEFAULT_TAG_LENGTH__CASE(aead_alg, PSA_ALG_CHACHA20_POLY1305) \ 0) #define PSA__ALG_AEAD_WITH_DEFAULT_TAG_LENGTH__CASE(aead_alg, ref) \ PSA_ALG_AEAD_WITH_TAG_LENGTH(aead_alg, 0) == \ diff --git a/tests/suites/test_suite_psa_crypto_metadata.data b/tests/suites/test_suite_psa_crypto_metadata.data index 45aef1072..94b80acdd 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.data +++ b/tests/suites/test_suite_psa_crypto_metadata.data @@ -166,6 +166,10 @@ Cipher: ARC4 depends_on:MBEDTLS_ARC4_C cipher_algorithm:PSA_ALG_ARC4:ALG_IS_STREAM_CIPHER +Cipher: ChaCha20 +depends_on:MBEDTLS_CHACHA_C +cipher_algorithm:PSA_ALG_CHACHA20:ALG_IS_STREAM_CIPHER + Cipher: CTR depends_on:MBEDTLS_CIPHER_C:MBEDTLS_CIPHER_MODE_CTR cipher_algorithm:PSA_ALG_CTR:ALG_IS_STREAM_CIPHER @@ -198,6 +202,10 @@ AEAD: GCM depends_on:MBEDTLS_GCM_C aead_algorithm:PSA_ALG_GCM:ALG_IS_AEAD_ON_BLOCK_CIPHER:16 +AEAD: ChaCha20_Poly1305 +depends_on:MBEDTLS_CHACHAPOLY_C +aead_algorithm:PSA_ALG_CHACHA20_POLY1305:0:16 + Asymmetric signature: RSA PKCS#1 v1.5 raw depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 asymmetric_signature_algorithm:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:ALG_IS_RSA_PKCS1V15_SIGN | ALG_IS_HASH_AND_SIGN @@ -307,6 +315,10 @@ Key type: ARC4 depends_on:MBEDTLS_ARC4_C key_type:PSA_KEY_TYPE_ARC4:KEY_TYPE_IS_UNSTRUCTURED +Key type: ChaCha20 +depends_on:MBEDTLS_CHACHA20_C +key_type:PSA_KEY_TYPE_CHACHA20:KEY_TYPE_IS_UNSTRUCTURED + Key type: RSA public key depends_on:MBEDTLS_RSA_C key_type:PSA_KEY_TYPE_RSA_PUBLIC_KEY:KEY_TYPE_IS_PUBLIC_KEY | KEY_TYPE_IS_RSA