Add ChaCha20+Poly1305 to the Cipher module
diff --git a/library/cipher.c b/library/cipher.c
index 68d0c10..b51a40b 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -38,6 +38,10 @@
#include <stdlib.h>
#include <string.h>
+#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
+#include "mbedtls/aead_chacha20_poly1305.h"
+#endif
+
#if defined(MBEDTLS_GCM_C)
#include "mbedtls/gcm.h"
#endif
@@ -65,6 +69,22 @@
#define MBEDTLS_CIPHER_MODE_STREAM
#endif
+/* Compare the contents of two buffers in constant time.
+ * Returns 0 if the contents are bitwise identical, otherwise returns
+ * a non-zero value. */
+static int mbedtls_constant_time_memcmp( const void *v1, const void *v2, size_t len )
+{
+ const unsigned char *p1 = (const unsigned char*) v1;
+ const unsigned char *p2 = (const unsigned char*) v2;
+ size_t i;
+ unsigned char diff;
+
+ for( diff = 0, i = 0; i < len; i++ )
+ diff |= p1[i] ^ p2[i];
+
+ return (int)diff;
+}
+
static int supported_init = 0;
const int *mbedtls_cipher_list( void )
@@ -263,22 +283,45 @@
return( 0 );
}
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
const unsigned char *ad, size_t ad_len )
{
if( NULL == ctx || NULL == ctx->cipher_info )
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+#if defined(MBEDTLS_GCM_C)
if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
{
return mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
ctx->iv, ctx->iv_size, ad, ad_len );
}
+#endif
+
+#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
+ if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+ {
+ int result;
+ mbedtls_aead_chacha20_poly1305_mode_t mode;
+
+ mode = ( ctx->operation == MBEDTLS_ENCRYPT )
+ ? MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT
+ : MBEDTLS_AEAD_CHACHA20_POLY1305_DECRYPT;
+
+ result = mbedtls_aead_chacha20_poly1305_starts( (mbedtls_aead_chacha20_poly1305_context*) ctx->cipher_ctx,
+ ctx->iv,
+ mode );
+ if ( result != 0 )
+ return( result );
+
+ return mbedtls_aead_chacha20_poly1305_update_aad( (mbedtls_aead_chacha20_poly1305_context*) ctx->cipher_ctx,
+ ad_len, ad );
+ }
+#endif
return( 0 );
}
-#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_GCM_C || MBEDTLS_AEAD_CHACHA20_POLY1305_C */
int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
size_t ilen, unsigned char *output, size_t *olen )
@@ -340,6 +383,21 @@
}
#endif
+ if( input == output &&
+ ( ctx->unprocessed_len != 0 || ilen % mbedtls_cipher_get_block_size( ctx ) ) )
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+
+#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
+ if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
+ {
+ *olen = ilen;
+ return mbedtls_aead_chacha20_poly1305_update( (mbedtls_aead_chacha20_poly1305_context*) ctx->cipher_ctx,
+ ilen, input, output );
+ }
+#endif
+
#if defined(MBEDTLS_CIPHER_MODE_CBC)
if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
{
@@ -672,7 +730,8 @@
return( 0 );
}
- if ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type )
+ if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) ||
+ ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
{
return( 0 );
}
@@ -788,7 +847,7 @@
}
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
unsigned char *tag, size_t tag_len )
{
@@ -798,8 +857,22 @@
if( MBEDTLS_ENCRYPT != ctx->operation )
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+#if defined(MBEDTLS_GCM_C)
if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
return mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, tag, tag_len );
+#endif
+
+#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
+ if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+ {
+ /* Don't allow truncated MAC for Poly1305 */
+ if ( tag_len != 16U )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ return mbedtls_aead_chacha20_poly1305_finish( (mbedtls_aead_chacha20_poly1305_context*) ctx->cipher_ctx,
+ tag );
+ }
+#endif
return( 0 );
}
@@ -807,6 +880,7 @@
int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
const unsigned char *tag, size_t tag_len )
{
+ unsigned char check_tag[16];
int ret;
if( NULL == ctx || NULL == ctx->cipher_info ||
@@ -815,12 +889,9 @@
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
}
+#if defined(MBEDTLS_GCM_C)
if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
{
- unsigned char check_tag[16];
- size_t i;
- int diff;
-
if( tag_len > sizeof( check_tag ) )
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
@@ -831,18 +902,38 @@
}
/* Check the tag in "constant-time" */
- for( diff = 0, i = 0; i < tag_len; i++ )
- diff |= tag[i] ^ check_tag[i];
-
- if( diff != 0 )
+ if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
return( 0 );
}
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
+ if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+ {
+ /* Don't allow truncated MAC for Poly1305 */
+ if ( tag_len != sizeof( check_tag ) )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ ret = mbedtls_aead_chacha20_poly1305_finish( (mbedtls_aead_chacha20_poly1305_context*) ctx->cipher_ctx,
+ check_tag );
+ if ( ret != 0 )
+ {
+ return( ret );
+ }
+
+ /* Check the tag in "constant-time" */
+ if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
+ return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
+
+ return( 0 );
+ }
+#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_C */
return( 0 );
}
-#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_GCM_C || MBEDTLS_AEAD_CHACHA20_POLY1305_C */
/*
* Packet-oriented wrapper for non-AEAD modes
@@ -901,6 +992,39 @@
tag, tag_len ) );
}
#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
+ if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+ {
+ int ret;
+
+ if ( ( iv_len != ctx->cipher_info->iv_size ) ||
+ ( tag_len != 16U ) ) /* Truncated MAC is not allowed for Poly1305 */
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+
+ *olen = ilen;
+
+ ret = mbedtls_aead_chacha20_poly1305_starts( (mbedtls_aead_chacha20_poly1305_context*) ctx->cipher_ctx,
+ iv, MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT );
+ if ( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_aead_chacha20_poly1305_update_aad( (mbedtls_aead_chacha20_poly1305_context*) ctx->cipher_ctx,
+ ad_len, ad );
+ if ( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_aead_chacha20_poly1305_update( (mbedtls_aead_chacha20_poly1305_context*) ctx->cipher_ctx,
+ ilen, input, output );
+ if ( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_aead_chacha20_poly1305_finish( (mbedtls_aead_chacha20_poly1305_context*) ctx->cipher_ctx,
+ tag );
+ return( ret );
+ }
+#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_C */
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
@@ -947,6 +1071,47 @@
return( ret );
}
#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
+ if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+ {
+ unsigned char check_tag[16];
+ int ret;
+
+ if ( ( iv_len != ctx->cipher_info->iv_size ) ||
+ ( tag_len != 16U ) ) /* Truncated MAC is not allowed for Poly1305 */
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+
+ *olen = ilen;
+
+ ret = mbedtls_aead_chacha20_poly1305_starts( (mbedtls_aead_chacha20_poly1305_context*) ctx->cipher_ctx,
+ iv, MBEDTLS_AEAD_CHACHA20_POLY1305_DECRYPT );
+ if ( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_aead_chacha20_poly1305_update_aad( (mbedtls_aead_chacha20_poly1305_context*) ctx->cipher_ctx,
+ ad_len, ad );
+ if ( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_aead_chacha20_poly1305_update( (mbedtls_aead_chacha20_poly1305_context*) ctx->cipher_ctx,
+ ilen, input, output );
+ if ( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_aead_chacha20_poly1305_finish( (mbedtls_aead_chacha20_poly1305_context*) ctx->cipher_ctx,
+ check_tag );
+ if ( ret != 0 )
+ return( ret );
+
+ /* Compare the tag in constant time */
+ if ( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
+ return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
+
+ return( 0 );
+ }
+#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_C */
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
