Commit graph

6699 commits

Author SHA1 Message Date
Jaeden Amero fa66c9eba2 Merge remote-tracking branch 'upstream-public/pr/1629' into evaluation 2018-05-14 17:54:25 +01:00
Janos Follath 4023535425 CCM*: Implement variable tag length 2018-05-14 16:49:51 +01:00
Janos Follath c4e14e1ff5 CCM*: Add minimal test for fixed tag length 2018-05-14 14:32:41 +01:00
Janos Follath e068d6f885 CCM*: Add implementation for fixed tag length 2018-05-14 14:31:49 +01:00
Janos Follath f60c815dc7 CCM*: Add public API
Interface for CCM* (described in IEEE Std 802.15.4.).
2018-05-14 13:45:45 +01:00
Jaeden Amero b1e4fc60ac Merge remote-tracking branch 'upstream-public/pr/1617' into evaluation-2 2018-05-11 11:07:30 +01:00
Jaeden Amero 7d8f00e1b5 Merge remote-tracking branch 'upstream-public/pr/1602' into evaluation-2 2018-05-11 10:56:21 +01:00
Jaeden Amero b7f36548df Merge remote-tracking branch 'upstream-public/pr/1593' into evaluation-2 2018-05-11 10:24:43 +01:00
Jaeden Amero 995e9195ae Merge remote-tracking branch 'upstream-public/pr/1497' into evaluation-2 2018-05-11 10:24:05 +01:00
Jaeden Amero 997c56f357 Add ChangeLog entry for HKDF 2018-05-10 13:18:13 +01:00
Thomas Fossati eb01024a06 Add an HKDF (RFC 5869) implementation 2018-05-10 13:18:13 +01:00
Manuel Pégourié-Gonnard f66a4bd11d cipher: add stream test vectors for chacha20(poly1305) 2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard e363ac78ec cipher: handle ChaCha20 as a stream cipher
That's what it is. So we shouldn't set a block size != 1.

While at it, move call to chachapoly_update() closer to the one for GCM, as
they are similar (AEAD).
2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 5350251977 Simplify selftest functions using macros
This reduces clutter, making the functions more readable.

Also, it makes lcov see each line as covered. This is not cheating, as the
lines that were previously seen as not covered are not supposed to be reached
anyway (failing branches of the selftests).

Thanks to this and previous test suite enhancements, lcov now sees chacha20.c
and poly1305.c at 100% line coverage, and for chachapoly.c only two lines are
not covered (error returns from lower-level module that should never happen
except perhaps if an alternative implementation returns an unexpected error).
2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 619b3092c2 chachapoly: add test for state flow 2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 7a2c7f1475 poly1305: add test with multiple small fragments
This exercises the code path where data is just appended to the waiting queue
while it isn't empty.
2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 6dbfb69c12 chachapoly: add test for parameter validation
Also fix two bugs found by the new tests.

Also remove redundant test case dependency declarations while at it.
2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 550c20fcf9 poly1305: add test for parameter validation
Also fix two validation bugs found while adding the tests.

Also handle test dependencies the right way while at it.
2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 114f28b3d9 chacha20: add test for parameter validation 2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard e9ea6d6e11 Fix selftest verbosity in test suites 2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 996477d84b cipher: add chachapoly test vector + unauth case 2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 97e34bf2f2 poly1305: fix bug in starts() and add test for it 2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard b60045aacb chacha20: fix bug in starts() and add test for it
Previously the streaming API would fail when encrypting multiple messages with
the same key.
2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 2faaa10e68 chachapoly: add test with unauthentic data 2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard f11d8e5f4d Reduce size of buffers in test suites 2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard c975b2cc41 Add Chacha20-Poly1305 to benchmark.c 2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard d17d297a63 Add FEATURE_NOT_AVAILABLE error codes. 2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 799b3903de chachapoly: adjust parameter order
This module used (len, pointer) while (pointer, len) is more common in the
rest of the library, in particular it's what's used in the GCM API that
very comparable to it, so switch to (pointer, len) for consistency.

Note that the crypt_and_tag() and auth_decrypt() functions were already using
the same convention as GCM, so this also increases intra-module consistency.
2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 9b7a93cf1f poly1305: adjust parameter order
This module used (len, pointer) while (pointer, len) is more common in the
rest of the library, in particular it's what's used in the CMAC API that is
very comparable to Poly1305, so switch to (pointer, len) for consistency.
2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 6048e05d5c Update documentation to match new guidelines. 2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 4f522633eb cipher: use new functions from chachapoly 2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 52a56d3b86 chachapoly: split crypt_and_mac() to match GCM API
In addition to making the APIs of the various AEAD modules more consistent
with each other, it's useful to have an auth_decrypt() function so that we can
safely check the tag ourselves, as the user might otherwise do it in an
insecure way (or even forget to do it altogether).
2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 453cf2850f Remove semi-internal chacha20_keystrem_block()
It's actually easy to implement chachapoly without it, so let's not clutter
the API (and avoid adding a burden to alt implementers).
2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 02969bf882 ChaCha20: allow in-place en/decryption
All other ciphers so far allow this. In particular, the TLS layer depends on
this, despite what's documented in the Cipher layer, see
https://github.com/ARMmbed/mbedtls/issues/1085
https://github.com/ARMmbed/mbedtls/issues/1087

Also, this can be useful for implementing chachapoly without depending on the
semi-internal function keystream_block(), see next commit.
2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard d4bd8569d4 Rename aead_chacha20_poly1305 to chachapoly
While the old name is explicit and aligned with the RFC, it's also very long,
so with the mbedtls_ prefix prepended we get a 31-char prefix to each
identifier, which quickly conflicts with our 80-column policy.

The new name is shorter, it's what a lot of people use when speaking about
that construction anyway, and hopefully should not introduce confusion at
it seems unlikely that variants other than 20/1305 be standardised in the
foreseeable future.
2018-05-10 13:23:02 +02:00
Manuel Pégourié-Gonnard 54b1a7342c Rename poly1305_setkey() to poly1305_starts()
For consistency with the existing CMAC and HMAC APIs
2018-05-10 13:22:14 +02:00
Manuel Pégourié-Gonnard 726cf72fce Avoid using %zu in selftest functions
This is a C99 feature and unfortunately we can't rely on it yet considering
the set of toolchain (versions) we want to support.
2018-05-10 13:22:14 +02:00
Manuel Pégourié-Gonnard a9ed291d2d Add missing extern "C" guard to new headers 2018-05-10 13:22:14 +02:00
Manuel Pégourié-Gonnard deda80e80d Adapt the _ALT style to our new standard
- in .h files: only put the context declaration inside the #ifdef _ALT
  (this was changed in 2.9.0, ie after the original PR)
- in .c file: only leave selftest out of _ALT: even though some function are
  trivial to build from other parts, alt implementors might want to go another
way about them (for efficiency or other reasons)
2018-05-10 13:22:14 +02:00
Manuel Pégourié-Gonnard 690d9e6fad Add ChangeLog entry for new features.
Fixes #346
2018-05-10 13:22:14 +02:00
Daniel King f589275d80 Minor style and formatting fixes.
This change corrects some minor style violations, mostly for spacing
around parentheses.
2018-05-10 13:22:14 +02:00
Daniel King 47252c739d Correct signedness of printf specifier in self tests 2018-05-10 13:22:14 +02:00
Daniel King b9a069d096 Fix unused function warning under certain configurations.
I refactored some code into the function mbedtls_constant_time_memcmp
in commit 7aad291 but this function is only used by GCM and
AEAD_ChaCha20_Poly1305 to check the tags. So this function is now
only enabled if either of these two ciphers is enabled.
2018-05-10 13:22:14 +02:00
Daniel King 5b7f1d8035 Fix test suite when GCM Is disabled, but AEAD_ChaCha20_Poly1305 is enabled. 2018-05-10 13:21:40 +02:00
Daniel King 89c7b10c6a Add ChaCha20 test vectors from RFC 7539 2018-05-10 13:21:40 +02:00
Daniel King a7472e16bc Add ChaCha20/Poly1305 ciphers to the selftest program 2018-05-10 13:21:40 +02:00
Daniel King d00afaf2ba Adjust verbose self-test output to match other ciphers. 2018-05-10 13:21:40 +02:00
Daniel King b437a98faf Add ChaCha20+Poly1305 to the Cipher module 2018-05-10 13:21:40 +02:00
Daniel King f28c2aa64e Allow some parameters to be NULL if the length is 0.
This change permits users of the ChaCha20/Poly1305 algorithms
(and the AEAD construction thereof) to pass NULL pointers for
data that they do not need, and avoids the need to provide a valid
buffer for data that is not used.
2018-05-10 13:20:52 +02:00
Daniel King 31ac12e004 Implement AEAD-ChaCha20-Poly1305.
This implementation is based off the description in RFC 7539.

The ChaCha20 code is also updated to provide a means of generating
keystream blocks with arbitrary counter values. This is used to
generated the one-time Poly1305 key in the AEAD construction.
2018-05-10 13:20:52 +02:00