commit 55c0d096b7747b89394be4063d2d35275aa0ced7
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed May 09 12:37:58 2018 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu May 24 13:37:31 2018 +0200
tree 1282a39f395bdcece10396824c8b5be0e526c051
parent 7296771194379fec7b1b47606e4ad461722c320f

chacha20: fix bug in starts() and add test for it

Previously the streaming API would fail when encrypting multiple messages with
the same key.

library/chacha20.c

diff --git a/library/chacha20.c b/library/chacha20.c
index 5ede455..d89000d 100644
--- a/library/chacha20.c
+++ b/library/chacha20.c
@@ -243,6 +243,12 @@
     ctx->initial_state[14] = BYTES_TO_U32_LE( nonce, 4 );
     ctx->initial_state[15] = BYTES_TO_U32_LE( nonce, 8 );
 
+    mbedtls_zeroize( ctx->working_state, sizeof( ctx->working_state ) );
+    mbedtls_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) );
+
+    /* Initially, there's no keystream bytes available */
+    ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+
     return( 0 );
 }
 

tests/suites/test_suite_chacha20.function

diff --git a/tests/suites/test_suite_chacha20.function b/tests/suites/test_suite_chacha20.function
index 9c0b985..fb3ad3e 100644
--- a/tests/suites/test_suite_chacha20.function
+++ b/tests/suites/test_suite_chacha20.function
@@ -23,6 +23,7 @@
     size_t nonce_len;
     size_t src_len;
     size_t dst_len;
+    mbedtls_chacha20_context ctx;
 
     memset( key_str,    0x00, sizeof( key_str ) );
     memset( nonce_str,  0x00, sizeof( nonce_str ) );
@@ -39,11 +40,45 @@
     TEST_ASSERT( key_len   == 32U );
     TEST_ASSERT( nonce_len == 12U );
 
+    /*
+     * Test the integrated API
+     */
     TEST_ASSERT( mbedtls_chacha20_crypt( key_str, nonce_str, counter, src_len, src_str, output ) == 0 );
 
     hexify( dst_str, output, src_len );
+    TEST_ASSERT( strcmp( (char*) dst_str, hex_dst_string ) == 0 );
 
-    TEST_ASSERT( strcmp( (char*) dst_str, hex_dst_string ) == 0);
+    /*
+     * Test the streaming API
+     */
+    mbedtls_chacha20_init( &ctx );
+
+    TEST_ASSERT( mbedtls_chacha20_setkey( &ctx, key_str ) == 0 );
+
+    TEST_ASSERT( mbedtls_chacha20_starts( &ctx, nonce_str, counter ) == 0 );
+
+    memset( output, 0x00, sizeof( output ) );
+    TEST_ASSERT( mbedtls_chacha20_update( &ctx, src_len, src_str, output ) == 0 );
+
+    hexify( dst_str, output, src_len );
+    TEST_ASSERT( strcmp( (char*) dst_str, hex_dst_string ) == 0 );
+
+    /*
+     * Test the streaming API again, piecewise
+     */
+
+    /* Don't reset the context of key, in order to test that starts() do the
+     * right thing. */
+    TEST_ASSERT( mbedtls_chacha20_starts( &ctx, nonce_str, counter ) == 0 );
+
+    memset( output, 0x00, sizeof( output ) );
+    TEST_ASSERT( mbedtls_chacha20_update( &ctx, 1, src_str, output ) == 0 );
+    TEST_ASSERT( mbedtls_chacha20_update( &ctx, src_len - 1, src_str + 1, output + 1 ) == 0 );
+
+    hexify( dst_str, output, src_len );
+    TEST_ASSERT( strcmp( (char*) dst_str, hex_dst_string ) == 0 );
+
+    mbedtls_chacha20_free( &ctx );
 }
 /* END_CASE */