From a98ff5eadfc6dbbc4f5e0ecf1ac22ab81a877675 Mon Sep 17 00:00:00 2001 From: Daniel King Date: Sun, 15 May 2016 17:28:08 -0300 Subject: [PATCH] Initial implementation of ChaCha20 --- include/mbedtls/chacha20.h | 169 +++++++ include/mbedtls/config.h | 10 + include/mbedtls/error.h | 1 + library/CMakeLists.txt | 1 + library/Makefile | 3 +- library/chacha20.c | 551 ++++++++++++++++++++++ library/error.c | 9 + library/version_features.c | 6 + programs/test/benchmark.c | 14 +- scripts/generate_errors.pl | 2 +- tests/CMakeLists.txt | 1 + tests/Makefile | 6 +- tests/suites/test_suite_chacha20.data | 2 + tests/suites/test_suite_chacha20.function | 14 + 14 files changed, 784 insertions(+), 5 deletions(-) create mode 100644 include/mbedtls/chacha20.h create mode 100644 library/chacha20.c create mode 100644 tests/suites/test_suite_chacha20.data create mode 100644 tests/suites/test_suite_chacha20.function diff --git a/include/mbedtls/chacha20.h b/include/mbedtls/chacha20.h new file mode 100644 index 000000000..ab10a96a8 --- /dev/null +++ b/include/mbedtls/chacha20.h @@ -0,0 +1,169 @@ +/** + * \file chacha20.h + * + * \brief ChaCha20 cipher. + * + * \author Daniel King + * + * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ +#ifndef MBEDTLS_CHACHA20_H +#define MBEDTLS_CHACHA20_H + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#if !defined(MBEDTLS_CHACHA20_ALT) + +#include +#include + +#define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA -0x003B /**< Invalid input parameter(s). */ + +typedef struct +{ + uint32_t initial_state[16]; /*! Holds the initial state (before round operations) */ + uint32_t working_state[16]; /*! Holds the working state (after round operations) */ + uint8_t keystream8[64]; /*! Holds leftover keystream bytes */ + size_t keystream_bytes_used; /*! Number of keystream bytes currently used */ +} +mbedtls_chacha20_context; + +/** + * \brief Initialize ChaCha20 context + * + * \param ctx ChaCha20 context to be initialized + */ +void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx ); + +/** + * \brief Clear ChaCha20 context + * + * \param ctx ChaCha20 context to be cleared + */ +void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx ); + +/** + * \brief Set the ChaCha20 key. + * + * \note The nonce and counter must be set after calling this function, + * before data can be encrypted/decrypted. The nonce and + * counter are set by calling mbedtls_chacha20_starts. + * + * \see mbedtls_chacha20_starts + * + * \param ctx The context to setup. + * \param key Buffer containing the 256-bit key. Must be 32 bytes in length. + * + * \return MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA is returned if ctx or key + * is NULL, or if key_bits is not 128 or 256. + * Otherwise, 0 is returned to indicate success. + */ +int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx, + const unsigned char key[32] ); + +/** + * \brief Set the ChaCha20 nonce and initial counter value. + * + * \note A ChaCha20 context can be re-used with the same key by + * calling this function to change the nonce and/or initial + * counter value. + * + * \param ctx The ChaCha20 context. + * \param nonce Buffer containing the 96-bit nonce. Must be 12 bytes in size. + * \param counter Initial counter value to use. This is usually 0. + * + * \return MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA is returned if ctx or + * nonce is NULL. + * Otherwise, 0 is returned to indicate success. + */ +int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx, + const unsigned char nonce[12], + uint32_t counter ); + +/** + * \brief Encrypt or decrypt data. + * + * This function is used to both encrypt and decrypt data. + * + * \note The \p input and \p output buffers may overlap, but only + * if input >= output (i.e. only if input points ahead of + * the output pointer). + * + * \note mbedtls_chacha20_setkey and mbedtls_chacha20_starts must be + * called at least once to setup the context before this function + * can be called. + * + * \param ctx The ChaCha20 context. + * \param size The length (in bytes) to process. This can have any length. + * \param input Buffer containing the input data. + * \param output Buffer containing the output data. + * + * \return MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if the ctx, input, or + * output pointers are NULL. + * Otherwise, 0 is returned to indicate success. + */ +int mbedtls_chacha20_process( mbedtls_chacha20_context *ctx, + size_t size, + const unsigned char *input, + unsigned char *output ); + +#else /* MBEDTLS_CHACHA20_ALT */ +#include "chacha20_alt.h" +#endif /* MBEDTLS_CHACHA20_ALT */ + +/** + * \brief Encrypt or decrypt a message using ChaCha20. + * + * This function is used the same way for encrypting and + * decrypting data. It's not necessary to specify which + * operation is being performed. + * + * \note The \p input and \p output buffers may overlap, but only + * if input >= output (i.e. only if input points ahead of + * the output pointer). + * + * \param key Buffer containing the 256-bit key. Must be 32 bytes in length. + * \param nonce Buffer containing the 96-bit nonce. Must be 12 bytes in length. + * \param counter The initial counter value. This is usually 0. + * \param data_len The number of bytes to process. + * \param input Buffer containing the input data (data to encrypt or decrypt). + * \param output Buffer to where the processed data is written. + * + * \return MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if key, nonce, input, + * or output is NULL. + * Otherwise, 0 is returned to indicate success. + */ +int mbedtls_chacha20_crypt( const unsigned char key[32], + const unsigned char nonce[12], + uint32_t counter, + size_t data_len, + const unsigned char* input, + unsigned char* output ); + +/** + * \brief Checkup routine + * + * \return 0 if successful, or 1 if the test failed + */ +int mbedtls_chacha20_self_test( int verbose ); + +#endif /* MBEDTLS_CHACHA20_H */ diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 7c9acb230..4c8fc3c36 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -274,6 +274,7 @@ //#define MBEDTLS_BLOWFISH_ALT //#define MBEDTLS_CAMELLIA_ALT //#define MBEDTLS_CCM_ALT +//#define MBEDTLS_CHACHA20_ALT //#define MBEDTLS_CMAC_ALT //#define MBEDTLS_DES_ALT //#define MBEDTLS_DHM_ALT @@ -1861,6 +1862,15 @@ */ #define MBEDTLS_CERTS_C +/** + * \def MBEDTLS_CHACHA20_C + * + * Enable the ChaCha20 stream cipher. + * + * Module: library/chacha20.c + */ +#define MBEDTLS_CHACHA20_C + /** * \def MBEDTLS_CIPHER_C * diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 8b4d3a875..ace0c47a6 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -76,6 +76,7 @@ * SHA1 1 0x0035-0x0035 * SHA256 1 0x0037-0x0037 * SHA512 1 0x0039-0x0039 + * CHACHA20 1 0x003B-0x003B * * High-level module nr (3 bits - 0x0...-0x7...) * Name ID Nr of Errors diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 6177ca2b4..78bab7fc7 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -13,6 +13,7 @@ set(src_crypto blowfish.c camellia.c ccm.c + chacha20.c cipher.c cipher_wrap.c cmac.c diff --git a/library/Makefile b/library/Makefile index b155c720e..4fab59846 100644 --- a/library/Makefile +++ b/library/Makefile @@ -50,7 +50,8 @@ endif OBJS_CRYPTO= aes.o aesni.o arc4.o \ asn1parse.o asn1write.o base64.o \ bignum.o blowfish.o camellia.o \ - ccm.o cipher.o cipher_wrap.o \ + ccm.o chacha20.o \ + cipher.o cipher_wrap.o \ cmac.o ctr_drbg.o des.o \ dhm.o ecdh.o ecdsa.o \ ecjpake.o ecp.o \ diff --git a/library/chacha20.c b/library/chacha20.c new file mode 100644 index 000000000..75fd9e915 --- /dev/null +++ b/library/chacha20.c @@ -0,0 +1,551 @@ +/** + * \file chacha20.c + * + * \brief ChaCha20 cipher. + * + * \author Daniel King + * + * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ +#include "mbedtls/chacha20.h" + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#if defined(MBEDTLS_CHACHA20_C) + +#if !defined(MBEDTLS_CHACHA20_ALT) + +#include +#include + +#if defined(MBEDTLS_SELF_TEST) +#if defined(MBEDTLS_PLATFORM_C) +#include "mbedtls/platform.h" +#else +#include +#define mbedtls_printf printf +#endif /* MBEDTLS_PLATFORM_C */ +#endif /* MBEDTLS_SELF_TEST */ + +#define BYTES_TO_U32_LE( data, offset ) \ + ( (uint32_t)data[offset] | \ + (uint32_t)( (uint32_t)data[(offset) + 1] << 8 ) | \ + (uint32_t)( (uint32_t)data[(offset) + 2] << 16 ) | \ + (uint32_t)( (uint32_t)data[(offset) + 3] << 24 ) \ + ) + +#define ROTL32( value, amount ) ( (uint32_t)( value << amount ) | ( value >> ( 32 - amount ) ) ) + +#define CHACHA20_CTR_INDEX ( 12U ) + +#define CHACHA20_BLOCK_SIZE_BYTES ( 4U * 16U ) + +/* Implementation that should never be optimized out by the compiler */ +static void mbedtls_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + +/** + * \brief ChaCha20 quarter round operation. + * + * The quarter round is defined as follows (from RFC 7539): + * 1. a += b; d ^= a; d <<<= 16; + * 2. c += d; b ^= c; b <<<= 12; + * 3. a += b; d ^= a; d <<<= 8; + * 4. c += d; b ^= c; b <<<= 7; + * + * \param state ChaCha20 state to modify. + * \param a The index of 'a' in the state. + * \param b The index of 'b' in the state. + * \param c The index of 'c' in the state. + * \param d The index of 'd' in the state. + */ +static inline void mbedtls_chacha20_quarter_round( uint32_t state[16], + size_t a, + size_t b, + size_t c, + size_t d ) +{ + /* a += b; d ^= a; d <<<= 16; */ + state[a] += state[b]; + state[d] ^= state[a]; + state[d] = ROTL32( state[d], 16 ); + + /* c += d; b ^= c; b <<<= 12 */ + state[c] += state[d]; + state[b] ^= state[c]; + state[b] = ROTL32( state[b], 12 ); + + /* a += b; d ^= a; d <<<= 8; */ + state[a] += state[b]; + state[d] ^= state[a]; + state[d] = ROTL32( state[d], 8 ); + + /* c += d; b ^= c; b <<<= 7; */ + state[c] += state[d]; + state[b] ^= state[c]; + state[b] = ROTL32( state[b], 7 ); +} + +/** + * \brief Perform the ChaCha20 inner block operation. + * + * This function performs two rounds: the column round and the + * diagonal round. + * + * \param state The ChaCha20 state to update. + */ +static void mbedtls_chacha20_inner_block( uint32_t state[16] ) +{ + mbedtls_chacha20_quarter_round( state, 0, 4, 8, 12 ); + mbedtls_chacha20_quarter_round( state, 1, 5, 9, 13 ); + mbedtls_chacha20_quarter_round( state, 2, 6, 10, 14 ); + mbedtls_chacha20_quarter_round( state, 3, 7, 11, 15 ); + + mbedtls_chacha20_quarter_round( state, 0, 5, 10, 15 ); + mbedtls_chacha20_quarter_round( state, 1, 6, 11, 12 ); + mbedtls_chacha20_quarter_round( state, 2, 7, 8, 13 ); + mbedtls_chacha20_quarter_round( state, 3, 4, 9, 14 ); +} + +/** + * \brief Generates a keystream block. + * + * \param initial_state The initial ChaCha20 state (containing the key, nonce, counter). + * \param working_state This state is used as a temporary working area. + * \param keystream Generated keystream bytes are written to this buffer. + */ +static void mbedtls_chacha20_block( mbedtls_chacha20_context *ctx, + unsigned char keystream[64] ) +{ + size_t i; + size_t offset; + + memcpy( ctx->working_state, + ctx->initial_state, + sizeof(ctx->initial_state) ); + + for ( i = 0U; i < 10U; i++ ) + { + mbedtls_chacha20_inner_block( ctx->working_state ); + } + + ctx->working_state[0] += ctx->initial_state[0]; + ctx->working_state[1] += ctx->initial_state[1]; + ctx->working_state[2] += ctx->initial_state[2]; + ctx->working_state[3] += ctx->initial_state[3]; + ctx->working_state[4] += ctx->initial_state[4]; + ctx->working_state[5] += ctx->initial_state[5]; + ctx->working_state[6] += ctx->initial_state[6]; + ctx->working_state[7] += ctx->initial_state[7]; + ctx->working_state[8] += ctx->initial_state[8]; + ctx->working_state[9] += ctx->initial_state[9]; + ctx->working_state[10] += ctx->initial_state[10]; + ctx->working_state[11] += ctx->initial_state[11]; + ctx->working_state[12] += ctx->initial_state[12]; + ctx->working_state[13] += ctx->initial_state[13]; + ctx->working_state[14] += ctx->initial_state[14]; + ctx->working_state[15] += ctx->initial_state[15]; + + for ( i = 0U; i < 16; i++ ) + { + offset = i * 4U; + + keystream[offset ] = (unsigned char) ctx->working_state[i]; + keystream[offset + 1U] = (unsigned char)( ctx->working_state[i] >> 8 ); + keystream[offset + 2U] = (unsigned char)( ctx->working_state[i] >> 16 ); + keystream[offset + 3U] = (unsigned char)( ctx->working_state[i] >> 24 ); + } +} + +void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx ) +{ + if ( ctx != NULL ) + { + mbedtls_zeroize( ctx->initial_state, sizeof( ctx->initial_state ) ); + mbedtls_zeroize( ctx->working_state, sizeof( ctx->working_state ) ); + mbedtls_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) ); + + /* Initially, there's no keystream bytes available */ + ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES; + } +} + +void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx ) +{ + if ( ctx != NULL ) + { + mbedtls_zeroize( ctx, sizeof( mbedtls_chacha20_context ) ); + } +} + +int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx, + const unsigned char key[32] ) +{ + if ( ( ctx == NULL ) || ( key == NULL ) ) + { + return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA ); + } + + /* ChaCha20 constants - the string "expand 32-byte k" */ + ctx->initial_state[0] = 0x61707865; + ctx->initial_state[1] = 0x3320646e; + ctx->initial_state[2] = 0x79622d32; + ctx->initial_state[3] = 0x6b206574; + + /* Set key */ + ctx->initial_state[4] = BYTES_TO_U32_LE( key, 0 ); + ctx->initial_state[5] = BYTES_TO_U32_LE( key, 4 ); + ctx->initial_state[6] = BYTES_TO_U32_LE( key, 8 ); + ctx->initial_state[7] = BYTES_TO_U32_LE( key, 12 ); + ctx->initial_state[8] = BYTES_TO_U32_LE( key, 16 ); + ctx->initial_state[9] = BYTES_TO_U32_LE( key, 20 ); + ctx->initial_state[10] = BYTES_TO_U32_LE( key, 24 ); + ctx->initial_state[11] = BYTES_TO_U32_LE( key, 28 ); + + return( 0 ); +} + +int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx, + const unsigned char nonce[12], + uint32_t counter ) +{ + if ( ( ctx == NULL ) || ( nonce == NULL ) ) + { + return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA ); + } + + /* Counter */ + ctx->initial_state[12] = counter; + + /* Nonce */ + ctx->initial_state[13] = BYTES_TO_U32_LE( nonce, 0 ); + ctx->initial_state[14] = BYTES_TO_U32_LE( nonce, 4 ); + ctx->initial_state[15] = BYTES_TO_U32_LE( nonce, 8 ); + + return( 0 ); +} + +int mbedtls_chacha20_process( mbedtls_chacha20_context *ctx, + size_t size, + const unsigned char *input, + unsigned char *output ) +{ + size_t offset = 0U; + size_t i; + + if ( ( ctx == NULL ) || ( input == NULL ) || ( output == NULL ) ) + { + return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA ); + } + + /* Use leftover keystream bytes, if available */ + while ( ( size > 0U ) && ( ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES ) ) + { + output[offset] = input[offset] ^ ctx->keystream8[ctx->keystream_bytes_used]; + + ctx->keystream_bytes_used++; + offset++; + size--; + } + + /* Process full blocks */ + while ( size >= CHACHA20_BLOCK_SIZE_BYTES ) + { + mbedtls_chacha20_block( ctx, &output[offset] ); + + for ( i = 0U; i < 64U; i += 8U ) + { + output[offset + i ] ^= input[offset + i ]; + output[offset + i + 1U] ^= input[offset + i + 1U]; + output[offset + i + 2U] ^= input[offset + i + 2U]; + output[offset + i + 3U] ^= input[offset + i + 3U]; + output[offset + i + 4U] ^= input[offset + i + 4U]; + output[offset + i + 5U] ^= input[offset + i + 5U]; + output[offset + i + 6U] ^= input[offset + i + 6U]; + output[offset + i + 7U] ^= input[offset + i + 7U]; + } + + /* Increment counter */ + ctx->initial_state[CHACHA20_CTR_INDEX]++; + + offset += 64U; + size -= 64U; + } + + /* Last (partial) block */ + if ( size > 0U ) + { + mbedtls_chacha20_block( ctx, ctx->keystream8 ); + + for ( i = 0U; i < size; i++) + { + output[offset + i] = input[offset + i] ^ ctx->keystream8[i]; + } + + ctx->keystream_bytes_used = size; + + /* Increment counter */ + ctx->initial_state[CHACHA20_CTR_INDEX]++; + } + + return 0; +} + +#endif /* !MBEDTLS_CHACHA20_ALT */ + +int mbedtls_chacha20_crypt( const unsigned char key[32], + const unsigned char nonce[12], + uint32_t counter, + size_t data_len, + const unsigned char* input, + unsigned char* output ) +{ + mbedtls_chacha20_context ctx; + int result; + + mbedtls_chacha20_init( &ctx ); + + result = mbedtls_chacha20_setkey( &ctx, key ); + if ( result != 0 ) + goto cleanup; + + result = mbedtls_chacha20_starts( &ctx, nonce, counter ); + if ( result != 0 ) + goto cleanup; + + result = mbedtls_chacha20_process( &ctx, data_len, input, output ); + +cleanup: + mbedtls_chacha20_free( &ctx ); + return result; +} + +#if defined(MBEDTLS_SELF_TEST) + +static const unsigned char test_keys[2][32] = +{ + { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }, + { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 + } +}; + +static const unsigned char test_nonces[2][12] = +{ + { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00 + }, + { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x02 + } +}; + +static const uint32_t test_counters[2] = +{ + 0U, + 1U +}; + +static const unsigned char test_input[2][375] = +{ + { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }, + { + 0x41, 0x6e, 0x79, 0x20, 0x73, 0x75, 0x62, 0x6d, + 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x20, 0x74, + 0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x49, 0x45, + 0x54, 0x46, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x6e, + 0x64, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x74, + 0x68, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72, + 0x69, 0x62, 0x75, 0x74, 0x6f, 0x72, 0x20, 0x66, + 0x6f, 0x72, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69, + 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x61, + 0x73, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6f, 0x72, + 0x20, 0x70, 0x61, 0x72, 0x74, 0x20, 0x6f, 0x66, + 0x20, 0x61, 0x6e, 0x20, 0x49, 0x45, 0x54, 0x46, + 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, + 0x74, 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x20, + 0x6f, 0x72, 0x20, 0x52, 0x46, 0x43, 0x20, 0x61, + 0x6e, 0x64, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x73, + 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74, + 0x20, 0x6d, 0x61, 0x64, 0x65, 0x20, 0x77, 0x69, + 0x74, 0x68, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, + 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, + 0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x20, 0x49, + 0x45, 0x54, 0x46, 0x20, 0x61, 0x63, 0x74, 0x69, + 0x76, 0x69, 0x74, 0x79, 0x20, 0x69, 0x73, 0x20, + 0x63, 0x6f, 0x6e, 0x73, 0x69, 0x64, 0x65, 0x72, + 0x65, 0x64, 0x20, 0x61, 0x6e, 0x20, 0x22, 0x49, + 0x45, 0x54, 0x46, 0x20, 0x43, 0x6f, 0x6e, 0x74, + 0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e, + 0x22, 0x2e, 0x20, 0x53, 0x75, 0x63, 0x68, 0x20, + 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x73, 0x20, 0x69, 0x6e, 0x63, 0x6c, 0x75, + 0x64, 0x65, 0x20, 0x6f, 0x72, 0x61, 0x6c, 0x20, + 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x73, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x45, + 0x54, 0x46, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69, + 0x6f, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x73, 0x20, + 0x77, 0x65, 0x6c, 0x6c, 0x20, 0x61, 0x73, 0x20, + 0x77, 0x72, 0x69, 0x74, 0x74, 0x65, 0x6e, 0x20, + 0x61, 0x6e, 0x64, 0x20, 0x65, 0x6c, 0x65, 0x63, + 0x74, 0x72, 0x6f, 0x6e, 0x69, 0x63, 0x20, 0x63, + 0x6f, 0x6d, 0x6d, 0x75, 0x6e, 0x69, 0x63, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6d, 0x61, + 0x64, 0x65, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e, + 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x6f, + 0x72, 0x20, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x2c, + 0x20, 0x77, 0x68, 0x69, 0x63, 0x68, 0x20, 0x61, + 0x72, 0x65, 0x20, 0x61, 0x64, 0x64, 0x72, 0x65, + 0x73, 0x73, 0x65, 0x64, 0x20, 0x74, 0x6f + } +}; + +static const unsigned char test_output[2][375] = +{ + { + 0x76, 0xb8, 0xe0, 0xad, 0xa0, 0xf1, 0x3d, 0x90, + 0x40, 0x5d, 0x6a, 0xe5, 0x53, 0x86, 0xbd, 0x28, + 0xbd, 0xd2, 0x19, 0xb8, 0xa0, 0x8d, 0xed, 0x1a, + 0xa8, 0x36, 0xef, 0xcc, 0x8b, 0x77, 0x0d, 0xc7, + 0xda, 0x41, 0x59, 0x7c, 0x51, 0x57, 0x48, 0x8d, + 0x77, 0x24, 0xe0, 0x3f, 0xb8, 0xd8, 0x4a, 0x37, + 0x6a, 0x43, 0xb8, 0xf4, 0x15, 0x18, 0xa1, 0x1c, + 0xc3, 0x87, 0xb6, 0x69, 0xb2, 0xee, 0x65, 0x86 + }, + { + 0xa3, 0xfb, 0xf0, 0x7d, 0xf3, 0xfa, 0x2f, 0xde, + 0x4f, 0x37, 0x6c, 0xa2, 0x3e, 0x82, 0x73, 0x70, + 0x41, 0x60, 0x5d, 0x9f, 0x4f, 0x4f, 0x57, 0xbd, + 0x8c, 0xff, 0x2c, 0x1d, 0x4b, 0x79, 0x55, 0xec, + 0x2a, 0x97, 0x94, 0x8b, 0xd3, 0x72, 0x29, 0x15, + 0xc8, 0xf3, 0xd3, 0x37, 0xf7, 0xd3, 0x70, 0x05, + 0x0e, 0x9e, 0x96, 0xd6, 0x47, 0xb7, 0xc3, 0x9f, + 0x56, 0xe0, 0x31, 0xca, 0x5e, 0xb6, 0x25, 0x0d, + 0x40, 0x42, 0xe0, 0x27, 0x85, 0xec, 0xec, 0xfa, + 0x4b, 0x4b, 0xb5, 0xe8, 0xea, 0xd0, 0x44, 0x0e, + 0x20, 0xb6, 0xe8, 0xdb, 0x09, 0xd8, 0x81, 0xa7, + 0xc6, 0x13, 0x2f, 0x42, 0x0e, 0x52, 0x79, 0x50, + 0x42, 0xbd, 0xfa, 0x77, 0x73, 0xd8, 0xa9, 0x05, + 0x14, 0x47, 0xb3, 0x29, 0x1c, 0xe1, 0x41, 0x1c, + 0x68, 0x04, 0x65, 0x55, 0x2a, 0xa6, 0xc4, 0x05, + 0xb7, 0x76, 0x4d, 0x5e, 0x87, 0xbe, 0xa8, 0x5a, + 0xd0, 0x0f, 0x84, 0x49, 0xed, 0x8f, 0x72, 0xd0, + 0xd6, 0x62, 0xab, 0x05, 0x26, 0x91, 0xca, 0x66, + 0x42, 0x4b, 0xc8, 0x6d, 0x2d, 0xf8, 0x0e, 0xa4, + 0x1f, 0x43, 0xab, 0xf9, 0x37, 0xd3, 0x25, 0x9d, + 0xc4, 0xb2, 0xd0, 0xdf, 0xb4, 0x8a, 0x6c, 0x91, + 0x39, 0xdd, 0xd7, 0xf7, 0x69, 0x66, 0xe9, 0x28, + 0xe6, 0x35, 0x55, 0x3b, 0xa7, 0x6c, 0x5c, 0x87, + 0x9d, 0x7b, 0x35, 0xd4, 0x9e, 0xb2, 0xe6, 0x2b, + 0x08, 0x71, 0xcd, 0xac, 0x63, 0x89, 0x39, 0xe2, + 0x5e, 0x8a, 0x1e, 0x0e, 0xf9, 0xd5, 0x28, 0x0f, + 0xa8, 0xca, 0x32, 0x8b, 0x35, 0x1c, 0x3c, 0x76, + 0x59, 0x89, 0xcb, 0xcf, 0x3d, 0xaa, 0x8b, 0x6c, + 0xcc, 0x3a, 0xaf, 0x9f, 0x39, 0x79, 0xc9, 0x2b, + 0x37, 0x20, 0xfc, 0x88, 0xdc, 0x95, 0xed, 0x84, + 0xa1, 0xbe, 0x05, 0x9c, 0x64, 0x99, 0xb9, 0xfd, + 0xa2, 0x36, 0xe7, 0xe8, 0x18, 0xb0, 0x4b, 0x0b, + 0xc3, 0x9c, 0x1e, 0x87, 0x6b, 0x19, 0x3b, 0xfe, + 0x55, 0x69, 0x75, 0x3f, 0x88, 0x12, 0x8c, 0xc0, + 0x8a, 0xaa, 0x9b, 0x63, 0xd1, 0xa1, 0x6f, 0x80, + 0xef, 0x25, 0x54, 0xd7, 0x18, 0x9c, 0x41, 0x1f, + 0x58, 0x69, 0xca, 0x52, 0xc5, 0xb8, 0x3f, 0xa3, + 0x6f, 0xf2, 0x16, 0xb9, 0xc1, 0xd3, 0x00, 0x62, + 0xbe, 0xbc, 0xfd, 0x2d, 0xc5, 0xbc, 0xe0, 0x91, + 0x19, 0x34, 0xfd, 0xa7, 0x9a, 0x86, 0xf6, 0xe6, + 0x98, 0xce, 0xd7, 0x59, 0xc3, 0xff, 0x9b, 0x64, + 0x77, 0x33, 0x8f, 0x3d, 0xa4, 0xf9, 0xcd, 0x85, + 0x14, 0xea, 0x99, 0x82, 0xcc, 0xaf, 0xb3, 0x41, + 0xb2, 0x38, 0x4d, 0xd9, 0x02, 0xf3, 0xd1, 0xab, + 0x7a, 0xc6, 0x1d, 0xd2, 0x9c, 0x6f, 0x21, 0xba, + 0x5b, 0x86, 0x2f, 0x37, 0x30, 0xe3, 0x7c, 0xfd, + 0xc4, 0xfd, 0x80, 0x6c, 0x22, 0xf2, 0x21 + } +}; + +static const size_t test_lengths[2] = +{ + 64U, + 375U +}; + +int mbedtls_chacha20_self_test( int verbose ) +{ + unsigned char output[381]; + size_t i; + int result; + + for ( i = 0U; i < 2U; i++ ) + { + result = mbedtls_chacha20_crypt( test_keys[i], + test_nonces[i], + test_counters[i], + test_lengths[i], + test_input[i], + output ); + if ( result != 0) + { + if ( verbose != 0 ) + { + mbedtls_printf( "ChaCha20 test %zi error code: %i\n", i, result ); + } + + return( -1 ); + } + + if ( 0 != memcmp( output, test_output[i], test_lengths[i] ) ) + { + if ( verbose != 0 ) + { + mbedtls_printf( "ChaCha20 test %zi failed\n", i ); + } + + return( -1 ); + } + } + + return( 0 ); +} + +#endif /* MBEDTLS_SELF_TEST */ + +#endif /* !MBEDTLS_CHACHA20_C */ diff --git a/library/error.c b/library/error.c index 222d85b62..2aaf359ef 100644 --- a/library/error.c +++ b/library/error.c @@ -69,6 +69,10 @@ #include "mbedtls/ccm.h" #endif +#if defined(MBEDTLS_CHACHA20_C) +#include "mbedtls/chacha20.h" +#endif + #if defined(MBEDTLS_CIPHER_C) #include "mbedtls/cipher.h" #endif @@ -653,6 +657,11 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "CCM - CCM hardware accelerator failed" ); #endif /* MBEDTLS_CCM_C */ +#if defined(MBEDTLS_CHACHA20_C) + if( use_ret == -(MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA) ) + mbedtls_snprintf( buf, buflen, "CHACHA20 - Invalid input parameter(s)" ); +#endif /* MBEDTLS_CHACHA20_C */ + #if defined(MBEDTLS_CMAC_C) if( use_ret == -(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED) ) mbedtls_snprintf( buf, buflen, "CMAC - CMAC hardware accelerator failed" ); diff --git a/library/version_features.c b/library/version_features.c index a452caf5e..febd506b7 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -99,6 +99,9 @@ static const char *features[] = { #if defined(MBEDTLS_CCM_ALT) "MBEDTLS_CCM_ALT", #endif /* MBEDTLS_CCM_ALT */ +#if defined(MBEDTLS_CHACHA20_ALT) + "MBEDTLS_CHACHA20_ALT", +#endif /* MBEDTLS_CHACHA20_ALT */ #if defined(MBEDTLS_CMAC_ALT) "MBEDTLS_CMAC_ALT", #endif /* MBEDTLS_CMAC_ALT */ @@ -537,6 +540,9 @@ static const char *features[] = { #if defined(MBEDTLS_CERTS_C) "MBEDTLS_CERTS_C", #endif /* MBEDTLS_CERTS_C */ +#if defined(MBEDTLS_CHACHA20_C) + "MBEDTLS_CHACHA20_C", +#endif /* MBEDTLS_CHACHA20_C */ #if defined(MBEDTLS_CIPHER_C) "MBEDTLS_CIPHER_C", #endif /* MBEDTLS_CIPHER_C */ diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index cecf3e363..bc473cf86 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -59,6 +59,7 @@ int main( void ) #include "mbedtls/aes.h" #include "mbedtls/blowfish.h" #include "mbedtls/camellia.h" +#include "mbedtls/chacha20.h" #include "mbedtls/gcm.h" #include "mbedtls/ccm.h" #include "mbedtls/cmac.h" @@ -93,7 +94,7 @@ int main( void ) #define OPTIONS \ "md4, md5, ripemd160, sha1, sha256, sha512,\n" \ - "arc4, des3, des, camellia, blowfish,\n" \ + "arc4, des3, des, camellia, blowfish, chacha20,\n" \ "aes_cbc, aes_gcm, aes_ccm, aes_cmac, des3_cmac,\n" \ "havege, ctr_drbg, hmac_drbg\n" \ "rsa, dhm, ecdsa, ecdh.\n" @@ -229,7 +230,7 @@ typedef struct { char md4, md5, ripemd160, sha1, sha256, sha512, arc4, des3, des, aes_cbc, aes_gcm, aes_ccm, aes_cmac, des3_cmac, - camellia, blowfish, + camellia, blowfish, chacha20, havege, ctr_drbg, hmac_drbg, rsa, dhm, ecdsa, ecdh; } todo_list; @@ -286,6 +287,8 @@ int main( int argc, char *argv[] ) todo.camellia = 1; else if( strcmp( argv[i], "blowfish" ) == 0 ) todo.blowfish = 1; + else if( strcmp( argv[i], "chacha20" ) == 0 ) + todo.chacha20 = 1; else if( strcmp( argv[i], "havege" ) == 0 ) todo.havege = 1; else if( strcmp( argv[i], "ctr_drbg" ) == 0 ) @@ -520,6 +523,13 @@ int main( int argc, char *argv[] ) } #endif +#if defined(MBEDTLS_CHACHA20_C) + if ( todo.chacha20 ) + { + TIME_AND_TSC( "ChaCha20", mbedtls_chacha20_crypt( buf, buf, 0U, BUFSIZE, buf, buf ) ); + } +#endif + #if defined(MBEDTLS_BLOWFISH_C) && defined(MBEDTLS_CIPHER_MODE_CBC) if( todo.blowfish ) { diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl index ac0fbff05..36ee60b72 100755 --- a/scripts/generate_errors.pl +++ b/scripts/generate_errors.pl @@ -30,7 +30,7 @@ if( @ARGV ) { my $error_format_file = $data_dir.'/error.fmt'; my @low_level_modules = qw( AES ARC4 ASN1 BASE64 BIGNUM BLOWFISH - CAMELLIA CCM CMAC CTR_DRBG DES + CAMELLIA CCM CHACHA20 CMAC CTR_DRBG DES ENTROPY GCM HMAC_DRBG MD2 MD4 MD5 NET OID PADLOCK PBKDF2 RIPEMD160 SHA1 SHA256 SHA512 THREADING XTEA ); diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 16e19a927..1525bc2a3 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -54,6 +54,7 @@ add_test_suite(base64) add_test_suite(blowfish) add_test_suite(camellia) add_test_suite(ccm) +add_test_suite(chacha20) add_test_suite(cipher cipher.aes) add_test_suite(cipher cipher.arc4) add_test_suite(cipher cipher.blowfish) diff --git a/tests/Makefile b/tests/Makefile index d85617fdc..233259b7a 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -50,7 +50,7 @@ APPS = test_suite_aes.ecb$(EXEXT) test_suite_aes.cbc$(EXEXT) \ test_suite_arc4$(EXEXT) test_suite_asn1write$(EXEXT) \ test_suite_base64$(EXEXT) test_suite_blowfish$(EXEXT) \ test_suite_camellia$(EXEXT) test_suite_ccm$(EXEXT) \ - test_suite_cmac$(EXEXT) \ + test_suite_chacha20$(EXEXT) test_suite_cmac$(EXEXT) \ test_suite_cipher.aes$(EXEXT) \ test_suite_cipher.arc4$(EXEXT) test_suite_cipher.ccm$(EXEXT) \ test_suite_cipher.gcm$(EXEXT) \ @@ -237,6 +237,10 @@ test_suite_ccm$(EXEXT): test_suite_ccm.c $(DEP) echo " CC $<" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +test_suite_chacha20$(EXEXT): test_suite_chacha20.c $(DEP) + echo " CC $<" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + test_suite_cmac$(EXEXT): test_suite_cmac.c $(DEP) echo " CC $<" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ diff --git a/tests/suites/test_suite_chacha20.data b/tests/suites/test_suite_chacha20.data new file mode 100644 index 000000000..79f0408a2 --- /dev/null +++ b/tests/suites/test_suite_chacha20.data @@ -0,0 +1,2 @@ +ChaCha20 Selftest +chacha20_self_test: diff --git a/tests/suites/test_suite_chacha20.function b/tests/suites/test_suite_chacha20.function new file mode 100644 index 000000000..2825a6148 --- /dev/null +++ b/tests/suites/test_suite_chacha20.function @@ -0,0 +1,14 @@ +/* BEGIN_HEADER */ +#include "mbedtls/chacha20.h" +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_CHACHA20_C + * END_DEPENDENCIES + */ +/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ +void chacha20_self_test() +{ + TEST_ASSERT( mbedtls_chacha20_self_test( 0 ) == 0 ); +} +/* END_CASE */ \ No newline at end of file