From 14b6254e6e3e159cf15566e2af06c06ee3aee9a1 Mon Sep 17 00:00:00 2001 From: Andrew Burks Date: Fri, 20 Feb 2015 17:19:42 -0800 Subject: [PATCH 1/4] Fixed dependency chain issue with integer.h since one of the function prototypes uses mp_int. --- wolfcrypt/src/asn.c | 1 - wolfssl/wolfcrypt/asn.h | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 13cfb6c25..1d549ed24 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -32,7 +32,6 @@ #include "dc_rtc_api.h" /* to get current time */ #endif -#include #include #include #include diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index cf89bf32b..98cc3ff3d 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -25,6 +25,7 @@ #define WOLF_CRYPT_ASN_H #include +#include #ifndef NO_RSA #include #endif From 8c3410d6c2bde614e1f59598ddb00e41a4d63993 Mon Sep 17 00:00:00 2001 From: Andrew Burks Date: Tue, 24 Feb 2015 09:15:11 -0800 Subject: [PATCH 2/4] Added wolfcrypt API for the ChaCha20-Poly1305 AEAD. --- wolfcrypt/src/chacha20_poly1305.c | 283 +++++++++++++++++++++ wolfcrypt/test/test.c | 341 ++++++++++++++++++-------- wolfssl/wolfcrypt/chacha20_poly1305.h | 60 +++++ wolfssl/wolfcrypt/error-crypt.h | 4 +- 4 files changed, 589 insertions(+), 99 deletions(-) create mode 100644 wolfcrypt/src/chacha20_poly1305.c create mode 100644 wolfssl/wolfcrypt/chacha20_poly1305.h diff --git a/wolfcrypt/src/chacha20_poly1305.c b/wolfcrypt/src/chacha20_poly1305.c new file mode 100644 index 000000000..6e664d32d --- /dev/null +++ b/wolfcrypt/src/chacha20_poly1305.c @@ -0,0 +1,283 @@ +/* chacha.c + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include + +#if( defined( HAVE_CHACHA ) && defined( HAVE_POLY1305 ) ) + +#include +#include +#include +#include +#include + +#ifdef NO_INLINE +#include +#else +#include +#endif + +#ifdef CHACHA_AEAD_TEST +#include +#endif + +#define CHACHA20_POLY1305_AEAD_INITIAL_COUNTER 0 +#define CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT 16 + +static void _word32ToLittle64( const word32 inLittle32, byte outLittle64[8] ); +static int _calculateAuthTag( const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZE], + const byte* inAAD, const word32 inAADLen, + const byte *inCiphertext, const word32 inCiphertextLen, + byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE] ); +static int constantTimeCompare( const byte *a, const byte *b, word32 len ); + +WOLFSSL_API int wc_ChaCha20Poly1305_Encrypt( const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], + const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], + const byte *inAAD, const word32 inAADLen, + const byte *inPlaintext, const word32 inPlaintextLen, + byte *outCiphertext, + byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE] ) +{ + int err; + byte poly1305Key[CHACHA20_POLY1305_AEAD_KEYSIZE]; + ChaCha chaChaCtx; + + // Validate function arguments + + if( !inKey || !inIV || + !inPlaintext || !inPlaintextLen || + !outCiphertext || + !outAuthTag ) + { + return BAD_FUNC_ARG; + } + + ForceZero( poly1305Key, sizeof( poly1305Key ) ); + + err = 0; + + // Create the Poly1305 key + + err += wc_Chacha_SetKey( &chaChaCtx, inKey, CHACHA20_POLY1305_AEAD_KEYSIZE ); + err += wc_Chacha_SetIV( &chaChaCtx, inIV, CHACHA20_POLY1305_AEAD_INITIAL_COUNTER ); + err += wc_Chacha_Process( &chaChaCtx, poly1305Key, poly1305Key, CHACHA20_POLY1305_AEAD_KEYSIZE ); + if( err ) + { + return err; + } + + // Encrypt the plaintext using ChaCha20 + + err = wc_Chacha_Process( &chaChaCtx, outCiphertext, inPlaintext, inPlaintextLen ); + if( err ) + { + return err; + } + + // Calculate the Poly1305 auth tag + + err = _calculateAuthTag( poly1305Key, + inAAD, inAADLen, + outCiphertext, inPlaintextLen, + outAuthTag ); + + return err; +} + +WOLFSSL_API int wc_ChaCha20Poly1305_Decrypt( const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], + const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], + const byte *inAAD, const word32 inAADLen, + const byte *inCiphertext, const word32 inCiphertextLen, + const byte inAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE], + byte* outPlaintext ) +{ + int err; + byte poly1305Key[CHACHA20_POLY1305_AEAD_KEYSIZE]; + ChaCha chaChaCtx; + byte calculatedAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]; + + // Validate function arguments + + if( !inKey || !inIV || + !inCiphertext || !inCiphertextLen || + !inAuthTag || + !outPlaintext ) + { + return BAD_FUNC_ARG; + } + + ForceZero( calculatedAuthTag, sizeof( calculatedAuthTag ) ); + ForceZero( poly1305Key, sizeof( poly1305Key ) ); + + err = 0; + + // Create the Poly1305 key + + err += wc_Chacha_SetKey( &chaChaCtx, inKey, CHACHA20_POLY1305_AEAD_KEYSIZE ); + err += wc_Chacha_SetIV( &chaChaCtx, inIV, CHACHA20_POLY1305_AEAD_INITIAL_COUNTER ); + err += wc_Chacha_Process( &chaChaCtx, poly1305Key, poly1305Key, CHACHA20_POLY1305_AEAD_KEYSIZE ); + if( err ) + { + return err; + } + + // Calculate the Poly1305 auth tag + + err = _calculateAuthTag( poly1305Key, + inAAD, inAADLen, + inCiphertext, inCiphertextLen, + calculatedAuthTag ); + + // Compare the calculated auth tag with the received one + + if( constantTimeCompare( inAuthTag, calculatedAuthTag, CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE ) ) + { + return MAC_CMP_FAILED_E; + } + + // Decrypt the received ciphertext + + err = wc_Chacha_Process( &chaChaCtx, outPlaintext, inCiphertext, inCiphertextLen ); + + return err; +} + +static int _calculateAuthTag( const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZE], + const byte *inAAD, const word32 inAADLen, + const byte *inCiphertext, const word32 inCiphertextLen, + byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE] ) +{ + int err; + Poly1305 poly1305Ctx; + byte padding[CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1]; + word32 paddingLen; + byte little64[8]; + + ForceZero( padding, sizeof( padding ) ); + paddingLen = 0; + + // Initialize Poly1305 + + err = wc_Poly1305SetKey( &poly1305Ctx, inAuthKey, CHACHA20_POLY1305_AEAD_KEYSIZE ); + if( err ) + { + return err; + } + + // Create the authTag by MAC'ing the following items: + + // -- AAD + + if( inAAD && inAADLen ) + { + err = wc_Poly1305Update( &poly1305Ctx, inAAD, inAADLen ); + + // -- padding1: pad the AAD to 16 bytes + + paddingLen = -inAADLen & ( CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1 ); + if( paddingLen ) + { + err += wc_Poly1305Update( &poly1305Ctx, padding, paddingLen ); + } + + if( err ) + { + return err; + } + } + + // -- Ciphertext + + err = wc_Poly1305Update( &poly1305Ctx, inCiphertext, inCiphertextLen ); + if( err ) + { + return err; + } + + // -- padding2: pad the ciphertext to 16 bytes + + paddingLen = -inCiphertextLen & ( CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1 ); + if( paddingLen ) + { + err = wc_Poly1305Update( &poly1305Ctx, padding, paddingLen ); + } + + if( err ) + { + return err; + } + + // -- AAD length as a 64-bit little endian integer + + _word32ToLittle64( inAADLen, little64 ); + + err = wc_Poly1305Update( &poly1305Ctx, little64, sizeof( little64 ) ); + if( err ) + { + return err; + } + + // -- Ciphertext length as a 64-bit little endian integer + + _word32ToLittle64( inCiphertextLen, little64 ); + + err = wc_Poly1305Update( &poly1305Ctx, little64, sizeof( little64 ) ); + if( err ) + { + return err; + } + + // Finalize the auth tag + + err = wc_Poly1305Final( &poly1305Ctx, outAuthTag ); + + return err; +} + +static void _word32ToLittle64( const word32 inLittle32, byte outLittle64[8] ) +{ + ForceZero( outLittle64, 8 ); + + outLittle64[0] = ( inLittle32 & 0x000000FF ); + outLittle64[1] = ( inLittle32 & 0x0000FF00 ) >> 8; + outLittle64[2] = ( inLittle32 & 0x00FF0000 ) >> 16; + outLittle64[3] = ( inLittle32 & 0xFF000000 ) >> 24; +} + +static int constantTimeCompare( const byte *a, const byte *b, word32 len ) +{ + word32 i; + byte result = 0; + + for( i = 0; i < len; i++ ) + { + result |= a[i] ^ b[i]; + } + + return (int)result; +} + +#endif /* HAVE_CHACHA && HAVE_POLY1305 */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 43e2c7744..e9bd10061 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -56,6 +56,7 @@ #include #include #include +#include #include #include #include @@ -2076,114 +2077,258 @@ int poly1305_test(void) #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) int chacha_poly_test(void) { - - const byte key[] = { - 0x42,0x90,0xbc,0xb1,0x54,0x17,0x35,0x31, - 0xf3,0x14,0xaf,0x57,0xf3,0xbe,0x3b,0x50, - 0x06,0xda,0x37,0x1e,0xce,0x27,0x2a,0xfa, - 0x1b,0x5d,0xbd,0xd1,0x10,0x0a,0x10,0x07 + // Test #1 from Section 2.8.2 of + // https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305 + + const byte key1[] = { + 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, + 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, + 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, + 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f }; - const byte input[] = { - 0x86,0xd0,0x99,0x74,0x84,0x0b,0xde,0xd2, - 0xa5,0xca + const byte plaintext1[] = { + 0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61, + 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c, + 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20, + 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73, + 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39, + 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63, + 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66, + 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f, + 0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20, + 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20, + 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75, + 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73, + 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f, + 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69, + 0x74, 0x2e }; - const byte nonce[] = { - 0x00,0x00,0x00,0x00,0xcd,0x7c,0xf6,0x7b, - 0xe3,0x9c,0x79,0x4a + const byte iv1[] = { + 0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43, + 0x44, 0x45, 0x46, 0x47 }; - const byte ad[] = { /* aditional data */ - 0x87,0xe2,0x29,0xd4,0x50,0x08,0x45,0xa0, - 0x79,0xc0,0x0a,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00 + const byte aad1[] = { /* additional data */ + 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, + 0xc4, 0xc5, 0xc6, 0xc7 }; - const byte test[] = { /* expected output from operation */ - 0xe3,0xe4,0x46,0xf7,0xed,0xe9,0xa1,0x9b, - 0x62,0xa4,0x98,0xa5,0x9a,0x87,0xf9,0x82, - 0xa1,0xfe,0xcb,0xac,0xd3,0xff,0xe8,0x29, - 0x31,0x04 + const byte cipher1[] = { /* expected output from operation */ + 0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb, + 0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2, + 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe, + 0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6, + 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12, + 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b, + 0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29, + 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36, + 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c, + 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58, + 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94, + 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc, + 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d, + 0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b, + 0x61, 0x16 }; - - - byte polyKey[64]; - byte cipher[32]; - byte tag[16]; /* tag made from Poly1305 MAC algorithm */ - byte out[48]; /* cipher (32) + tag size of (16) */ - byte msg[10]; /* message after decryption */ - word32 keySz = 32; - int ret = 0; - - ChaCha chaEnc, chaDec; - Poly1305 polyEnc, polyDec; - - XMEMSET(polyKey, 0, sizeof(polyKey)); - XMEMSET(cipher, 0, sizeof(cipher)); - XMEMSET(tag, 0, sizeof(tag)); - XMEMSET(out, 0, sizeof(out)); - XMEMSET(msg, 0, sizeof(msg)); - - /***** ENCRYPTION ******/ - - /* Initialise chacha / poly and get poly key */ - ret += wc_Chacha_SetKey(&chaEnc, key, keySz); - ret += wc_Chacha_SetIV(&chaEnc, nonce, 0); /* start with counter at 0 */ - /* AEAD poly key is created by first run of ChaCha */ - ret += wc_Chacha_Process(&chaEnc, polyKey, polyKey, 64); - ret += wc_Poly1305SetKey(&polyEnc, polyKey, 32); - - /* encrypt the plain text then append tag */ - ret += wc_Chacha_SetIV(&chaEnc, nonce, 1); - ret += wc_Chacha_Process(&chaEnc, cipher, input, sizeof(input)); - /* tag is created with using ad and cipher (SSL/TLS uses padding as well) */ - ret += wc_Poly1305Update(&polyEnc, ad, sizeof(ad)); - ret += wc_Poly1305Update(&polyEnc, cipher, sizeof(input)); - ret += wc_Poly1305Final(&polyEnc, tag); - XMEMCPY(out, cipher, sizeof(input)); /* copy cipher to first of out */ - XMEMCPY(out + sizeof(input), tag, sizeof(tag)); /* append tag to out */ - - - /****** TEST *****/ - - /* encrypted AEAD msg is now in out[] it's length is sizeof input + tag size - to test correctness we will compare the out[] to the expected output */ - if (memcmp(out, test, sizeof(test))) - return -1062; - - - /****** DECRYPTION ******/ - - XMEMSET(polyKey, 0, sizeof(polyKey)); - XMEMSET(tag, 0, sizeof(tag)); - - /* Initialise chacha / poly and get poly key */ - ret += wc_Chacha_SetKey(&chaDec, key, keySz); - ret += wc_Chacha_SetIV(&chaDec, nonce, 0); /* start with counter at 0 */ - /* AEAD poly key is created by first run of ChaCha */ - ret += wc_Chacha_Process(&chaDec, polyKey, polyKey, 64); - ret += wc_Poly1305SetKey(&polyDec, polyKey, 32); - - /* compare generated tag to what was sent */ - ret += wc_Poly1305Update(&polyDec, ad, sizeof(ad)); - ret += wc_Poly1305Update(&polyDec, out, sizeof(input)); /* cipher sent */ - ret += wc_Poly1305Final(&polyDec, tag); - /* comparison of tags should be in constant time when implemented */ - if (memcmp(tag, out + sizeof(input), sizeof(tag))) /* compare tags */ - return -1063; - - /* decrypt the cipher text */ - ret += wc_Chacha_Process(&chaDec, msg, out, sizeof(input)); - - - /****** TEST *****/ - - /* plain text msg has been recieved compare it to expected for test */ - if (memcmp(msg, input, sizeof(input))) + + const byte authTag1[] = { /* expected output from operation */ + 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a, + 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91 + }; + + // Test #2 from Appendix A.2 in + // https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305 + + const byte key2[] = { + 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a, + 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0, + 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09, + 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0 + }; + + const byte plaintext2[] = { + 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, + 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20, + 0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66, + 0x74, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, + 0x6e, 0x74, 0x73, 0x20, 0x76, 0x61, 0x6c, 0x69, + 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20, + 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x20, + 0x6f, 0x66, 0x20, 0x73, 0x69, 0x78, 0x20, 0x6d, + 0x6f, 0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e, + 0x64, 0x20, 0x6d, 0x61, 0x79, 0x20, 0x62, 0x65, + 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, + 0x2c, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63, + 0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f, + 0x62, 0x73, 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x64, + 0x20, 0x62, 0x79, 0x20, 0x6f, 0x74, 0x68, 0x65, + 0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, + 0x6e, 0x74, 0x73, 0x20, 0x61, 0x74, 0x20, 0x61, + 0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x2e, + 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69, + 0x6e, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x70, 0x72, + 0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20, + 0x75, 0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, + 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61, + 0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72, + 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, + 0x20, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61, + 0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20, + 0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65, + 0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20, + 0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20, + 0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b, + 0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67, + 0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80, + 0x9d + }; + + const byte iv2[] = { + 0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0x03, 0x04, + 0x05, 0x06, 0x07, 0x08 + }; + + const byte aad2[] = { /* additional data */ + 0xf3, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x4e, 0x91 + }; + + const byte cipher2[] = { /* expected output from operation */ + 0x64, 0xa0, 0x86, 0x15, 0x75, 0x86, 0x1a, 0xf4, + 0x60, 0xf0, 0x62, 0xc7, 0x9b, 0xe6, 0x43, 0xbd, + 0x5e, 0x80, 0x5c, 0xfd, 0x34, 0x5c, 0xf3, 0x89, + 0xf1, 0x08, 0x67, 0x0a, 0xc7, 0x6c, 0x8c, 0xb2, + 0x4c, 0x6c, 0xfc, 0x18, 0x75, 0x5d, 0x43, 0xee, + 0xa0, 0x9e, 0xe9, 0x4e, 0x38, 0x2d, 0x26, 0xb0, + 0xbd, 0xb7, 0xb7, 0x3c, 0x32, 0x1b, 0x01, 0x00, + 0xd4, 0xf0, 0x3b, 0x7f, 0x35, 0x58, 0x94, 0xcf, + 0x33, 0x2f, 0x83, 0x0e, 0x71, 0x0b, 0x97, 0xce, + 0x98, 0xc8, 0xa8, 0x4a, 0xbd, 0x0b, 0x94, 0x81, + 0x14, 0xad, 0x17, 0x6e, 0x00, 0x8d, 0x33, 0xbd, + 0x60, 0xf9, 0x82, 0xb1, 0xff, 0x37, 0xc8, 0x55, + 0x97, 0x97, 0xa0, 0x6e, 0xf4, 0xf0, 0xef, 0x61, + 0xc1, 0x86, 0x32, 0x4e, 0x2b, 0x35, 0x06, 0x38, + 0x36, 0x06, 0x90, 0x7b, 0x6a, 0x7c, 0x02, 0xb0, + 0xf9, 0xf6, 0x15, 0x7b, 0x53, 0xc8, 0x67, 0xe4, + 0xb9, 0x16, 0x6c, 0x76, 0x7b, 0x80, 0x4d, 0x46, + 0xa5, 0x9b, 0x52, 0x16, 0xcd, 0xe7, 0xa4, 0xe9, + 0x90, 0x40, 0xc5, 0xa4, 0x04, 0x33, 0x22, 0x5e, + 0xe2, 0x82, 0xa1, 0xb0, 0xa0, 0x6c, 0x52, 0x3e, + 0xaf, 0x45, 0x34, 0xd7, 0xf8, 0x3f, 0xa1, 0x15, + 0x5b, 0x00, 0x47, 0x71, 0x8c, 0xbc, 0x54, 0x6a, + 0x0d, 0x07, 0x2b, 0x04, 0xb3, 0x56, 0x4e, 0xea, + 0x1b, 0x42, 0x22, 0x73, 0xf5, 0x48, 0x27, 0x1a, + 0x0b, 0xb2, 0x31, 0x60, 0x53, 0xfa, 0x76, 0x99, + 0x19, 0x55, 0xeb, 0xd6, 0x31, 0x59, 0x43, 0x4e, + 0xce, 0xbb, 0x4e, 0x46, 0x6d, 0xae, 0x5a, 0x10, + 0x73, 0xa6, 0x72, 0x76, 0x27, 0x09, 0x7a, 0x10, + 0x49, 0xe6, 0x17, 0xd9, 0x1d, 0x36, 0x10, 0x94, + 0xfa, 0x68, 0xf0, 0xff, 0x77, 0x98, 0x71, 0x30, + 0x30, 0x5b, 0xea, 0xba, 0x2e, 0xda, 0x04, 0xdf, + 0x99, 0x7b, 0x71, 0x4d, 0x6c, 0x6f, 0x2c, 0x29, + 0xa6, 0xad, 0x5c, 0xb4, 0x02, 0x2b, 0x02, 0x70, + 0x9b + }; + + const byte authTag2[] = { /* expected output from operation */ + 0xee, 0xad, 0x9d, 0x67, 0x89, 0x0c, 0xbb, 0x22, + 0x39, 0x23, 0x36, 0xfe, 0xa1, 0x85, 0x1f, 0x38 + }; + + byte generatedCiphertext[272]; + byte generatedPlaintext[272]; + byte generatedAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]; + int err; + + XMEMSET( generatedCiphertext, 0, sizeof( generatedCiphertext ) ); + XMEMSET( generatedAuthTag, 0, sizeof( generatedAuthTag ) ); + XMEMSET( generatedPlaintext, 0, sizeof( generatedPlaintext ) ); + + // Test #1 + + err = wc_ChaCha20Poly1305_Encrypt( key1, iv1, + aad1, sizeof( aad1 ), + plaintext1, sizeof( plaintext1 ), + generatedCiphertext, generatedAuthTag ); + if( err ) + { + return err; + } + + // -- Check the ciphertext and authtag + + if( XMEMCMP( generatedCiphertext, cipher1, sizeof( cipher1 ) ) ) + { return -1064; - - return ret; + } + + if( XMEMCMP( generatedAuthTag, authTag1, sizeof( authTag1 ) ) ) + { + return -1065; + } + + // -- Verify decryption works + + err = wc_ChaCha20Poly1305_Decrypt( key1, iv1, + aad1, sizeof( aad1 ), + cipher1, sizeof( cipher1 ), + authTag1, generatedPlaintext ); + if( err ) + { + return err; + } + + if( XMEMCMP( generatedPlaintext, plaintext1, sizeof( plaintext1 ) ) ) + { + return -1066; + } + + XMEMSET( generatedCiphertext, 0, sizeof( generatedCiphertext ) ); + XMEMSET( generatedAuthTag, 0, sizeof( generatedAuthTag ) ); + XMEMSET( generatedPlaintext, 0, sizeof( generatedPlaintext ) ); + + // Test #2 + + err = wc_ChaCha20Poly1305_Encrypt( key2, iv2, + aad2, sizeof( aad2 ), + plaintext2, sizeof( plaintext2 ), + generatedCiphertext, generatedAuthTag ); + if( err ) + { + return err; + } + + // -- Check the ciphertext and authtag + + if( XMEMCMP( generatedCiphertext, cipher2, sizeof( cipher2 ) ) ) + { + return -1067; + } + + if( XMEMCMP( generatedAuthTag, authTag2, sizeof( authTag2 ) ) ) + { + return -1068; + } + + // -- Verify decryption works + + err = wc_ChaCha20Poly1305_Decrypt( key2, iv2, + aad2, sizeof( aad2 ), + cipher2, sizeof( cipher2 ), + authTag2, generatedPlaintext ); + if( err ) + { + return err; + } + + if( XMEMCMP( generatedPlaintext, plaintext2, sizeof( plaintext2 ) ) ) + { + return -1069; + } + + return err; } #endif /* HAVE_CHACHA && HAVE_POLY1305 */ diff --git a/wolfssl/wolfcrypt/chacha20_poly1305.h b/wolfssl/wolfcrypt/chacha20_poly1305.h new file mode 100644 index 000000000..f472d4abb --- /dev/null +++ b/wolfssl/wolfcrypt/chacha20_poly1305.h @@ -0,0 +1,60 @@ +/* chacha20_poly1305.h + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#if( defined( HAVE_CHACHA ) && defined( HAVE_POLY1305 ) ) + +#ifndef WOLF_CRYPT_CHACHA20_POLY1305_H +#define WOLF_CRYPT_CHACHA20_POLY1305_H + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#define CHACHA20_POLY1305_AEAD_KEYSIZE 32 +#define CHACHA20_POLY1305_AEAD_IV_SIZE 12 +#define CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE 16 + + enum { + CHACHA20_POLY_1305_ENC_TYPE = 8 /* cipher unique type */ + }; + + WOLFSSL_API int wc_ChaCha20Poly1305_Encrypt(const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], + const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], + const byte* inAAD, const word32 inAADLen, + const byte* inPlaintext, const word32 inPlaintextLen, + byte* outCiphertext, + byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]); + + WOLFSSL_API int wc_ChaCha20Poly1305_Decrypt(const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], + const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], + const byte* inAAD, const word32 inAADLen, + const byte* inCiphertext, const word32 inCiphertextLen, + const byte inAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE], + byte* outPlaintext); + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* WOLF_CRYPT_CHACHA20_POLY1305_H */ +#endif /* HAVE_CHACHA && HAVE_POLY1305 */ \ No newline at end of file diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index ee18f8535..67291ec58 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -145,7 +145,9 @@ enum { AESGCM_KAT_FIPS_E = -210, /* AESGCM KAT failure */ THREAD_STORE_KEY_E = -211, /* Thread local storage key create failure */ THREAD_STORE_SET_E = -212, /* Thread local storage key set failure */ - + + MAC_CMP_FAILED_E = -213, /* MAC comparison failed */ + MIN_CODE_E = -300 /* errors -101 - -299 */ }; From 0e5f879d0b685215543322772b72803a4acb0555 Mon Sep 17 00:00:00 2001 From: Andrew Burks Date: Tue, 24 Feb 2015 10:00:39 -0800 Subject: [PATCH 3/4] Added documentation and benchmarks. --- wolfcrypt/benchmark/benchmark.c | 37 +++++++++++++++++++++++++++ wolfcrypt/src/chacha20_poly1305.c | 9 +++---- wolfcrypt/test/test.c | 20 +++++++-------- wolfssl/wolfcrypt/chacha20_poly1305.h | 14 ++++++++++ 4 files changed, 65 insertions(+), 15 deletions(-) diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 86a2179e4..87547f032 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -43,6 +43,7 @@ #include #include #include +#include #include #include #include @@ -116,6 +117,7 @@ void bench_arc4(void); void bench_hc128(void); void bench_rabbit(void); void bench_chacha(void); +void bench_chacha20_poly1305_aead(void); void bench_aes(int); void bench_aesgcm(void); void bench_aesccm(void); @@ -295,6 +297,9 @@ int benchmark_test(void *args) #ifdef HAVE_POLY1305 bench_poly1305(); #endif +#if( defined( HAVE_CHACHA ) && defined( HAVE_POLY1305 ) ) + bench_chacha20_poly1305_aead(); +#endif #ifndef NO_SHA bench_sha(); #endif @@ -770,6 +775,38 @@ void bench_chacha(void) } #endif /* HAVE_CHACHA*/ + +#if( defined( HAVE_CHACHA ) && defined( HAVE_POLY1305 ) ) +void bench_chacha20_poly1305_aead(void) +{ + double start, total, persec; + int i; + + byte authTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]; + XMEMSET( authTag, 0, sizeof( authTag ) ); + + start = current_time(1); + BEGIN_INTEL_CYCLES + + for (i = 0; i < numBlocks; i++) + { + wc_ChaCha20Poly1305_Encrypt( key, iv, NULL, 0, plain, sizeof( plain ), cipher, authTag ); + } + + END_INTEL_CYCLES + total = current_time(0) - start; + persec = 1 / total * numBlocks; +#ifdef BENCH_EMBEDDED + /* since using kB, convert to MB/s */ + persec = persec / 1024; +#endif + + printf("ChaCha20-Poly1305 AEAD %d %s took %5.3f seconds, %7.3f MB/s", numBlocks, blockType, total, persec); + SHOW_INTEL_CYCLES + printf("\n"); + +} +#endif /* HAVE_CHACHA && HAVE_POLY1305 */ #ifndef NO_MD5 diff --git a/wolfcrypt/src/chacha20_poly1305.c b/wolfcrypt/src/chacha20_poly1305.c index 6e664d32d..ea164fd16 100644 --- a/wolfcrypt/src/chacha20_poly1305.c +++ b/wolfcrypt/src/chacha20_poly1305.c @@ -223,11 +223,10 @@ static int _calculateAuthTag( const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZ if( paddingLen ) { err = wc_Poly1305Update( &poly1305Ctx, padding, paddingLen ); - } - - if( err ) - { - return err; + if( err ) + { + return err; + } } // -- AAD length as a 64-bit little endian integer diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index e9bd10061..aadf0256b 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -163,7 +163,7 @@ int arc4_test(void); int hc128_test(void); int rabbit_test(void); int chacha_test(void); -int chacha_poly_test(void); +int chacha20_poly1305_aead_test(void); int des_test(void); int des3_test(void); int aes_test(void); @@ -416,10 +416,10 @@ int wolfcrypt_test(void* args) #endif #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - if ( (ret = chacha_poly_test()) != 0) - return err_sys("CHACHA-POLY AEAD test failed!\n", ret); + if ( (ret = chacha20_poly1305_aead_test()) != 0) + return err_sys("ChaCha20-Poly1305 AEAD test failed!\n", ret); else - printf( "ChachaAEAD test passed!\n"); + printf( "ChaCha20-Poly1305 AEAD test passed!\n"); #endif #ifndef NO_DES3 @@ -2074,11 +2074,11 @@ int poly1305_test(void) #endif /* HAVE_POLY1305 */ -#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) -int chacha_poly_test(void) +#if(defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) +int chacha20_poly1305_aead_test(void) { - // Test #1 from Section 2.8.2 of - // https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305 + // Test #1 from Section 2.8.2 of draft-irtf-cfrg-chacha20-poly1305-10 + // https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10 const byte key1[] = { 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, @@ -2138,8 +2138,8 @@ int chacha_poly_test(void) 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91 }; - // Test #2 from Appendix A.2 in - // https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305 + // Test #2 from Appendix A.2 in draft-irtf-cfrg-chacha20-poly1305-10 + // https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10 const byte key2[] = { 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a, diff --git a/wolfssl/wolfcrypt/chacha20_poly1305.h b/wolfssl/wolfcrypt/chacha20_poly1305.h index f472d4abb..fdb902fc5 100644 --- a/wolfssl/wolfcrypt/chacha20_poly1305.h +++ b/wolfssl/wolfcrypt/chacha20_poly1305.h @@ -17,6 +17,10 @@ * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + * + * This implementation of the ChaCha20-Poly1305 AEAD is based on "ChaCha20 + * and Poly1305 for IETF protocols" (draft-irtf-cfrg-chacha20-poly1305-10): + * https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10 */ #if( defined( HAVE_CHACHA ) && defined( HAVE_POLY1305 ) ) @@ -38,6 +42,16 @@ extern "C" { CHACHA20_POLY_1305_ENC_TYPE = 8 /* cipher unique type */ }; + /* + * The IV for this implementation is 96 bits to give the most flexibility. + * + * Some protocols may have unique per-invocation inputs that are not + * 96-bit in length. For example, IPsec may specify a 64-bit nonce. In + * such a case, it is up to the protocol document to define how to + * transform the protocol nonce into a 96-bit nonce, for example by + * concatenating a constant value. + */ + WOLFSSL_API int wc_ChaCha20Poly1305_Encrypt(const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], const byte* inAAD, const word32 inAADLen, From 9d20e712bfa313cb4ef95140015a9803331e1f3a Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 24 Feb 2015 12:33:52 -0800 Subject: [PATCH 4/4] add autoconf support for chapoly-aead, wipe temp polykey, minor whitespace adjusts --- configure.ac | 2 +- src/include.am | 3 + support/wolfssl.pc | 2 +- wolfcrypt/benchmark/benchmark.c | 26 +- wolfcrypt/src/chacha20_poly1305.c | 327 +++++++++++++------------- wolfcrypt/src/error.c | 3 + wolfcrypt/test/test.c | 148 ++++++------ wolfssl/version.h | 4 +- wolfssl/wolfcrypt/chacha20_poly1305.h | 61 ++--- wolfssl/wolfcrypt/error-crypt.h | 4 +- wolfssl/wolfcrypt/include.am | 1 + 11 files changed, 301 insertions(+), 280 deletions(-) diff --git a/configure.ac b/configure.ac index 2c4871ca1..6a66bc826 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([wolfssl],[3.4.0],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) +AC_INIT([wolfssl],[3.4.1],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) diff --git a/src/include.am b/src/include.am index 5cc1d20ac..c7df1b3c9 100644 --- a/src/include.am +++ b/src/include.am @@ -146,6 +146,9 @@ endif if BUILD_CHACHA src_libwolfssl_la_SOURCES += wolfcrypt/src/chacha.c +if BUILD_POLY1305 +src_libwolfssl_la_SOURCES += wolfcrypt/src/chacha20_poly1305.c +endif endif if !BUILD_INLINE diff --git a/support/wolfssl.pc b/support/wolfssl.pc index e840d1768..1d1f3681d 100644 --- a/support/wolfssl.pc +++ b/support/wolfssl.pc @@ -5,6 +5,6 @@ includedir=${prefix}/include Name: wolfssl Description: wolfssl C library. -Version: 3.4.0 +Version: 3.4.1 Libs: -L${libdir} -lwolfssl Cflags: -I${includedir} diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 87547f032..8a3deabda 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -285,6 +285,9 @@ int benchmark_test(void *args) #ifdef HAVE_CHACHA bench_chacha(); #endif +#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + bench_chacha20_poly1305_aead(); +#endif #ifndef NO_DES3 bench_des(); #endif @@ -297,9 +300,6 @@ int benchmark_test(void *args) #ifdef HAVE_POLY1305 bench_poly1305(); #endif -#if( defined( HAVE_CHACHA ) && defined( HAVE_POLY1305 ) ) - bench_chacha20_poly1305_aead(); -#endif #ifndef NO_SHA bench_sha(); #endif @@ -775,24 +775,25 @@ void bench_chacha(void) } #endif /* HAVE_CHACHA*/ - + #if( defined( HAVE_CHACHA ) && defined( HAVE_POLY1305 ) ) void bench_chacha20_poly1305_aead(void) { double start, total, persec; int i; - + byte authTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]; XMEMSET( authTag, 0, sizeof( authTag ) ); - + start = current_time(1); BEGIN_INTEL_CYCLES - + for (i = 0; i < numBlocks; i++) { - wc_ChaCha20Poly1305_Encrypt( key, iv, NULL, 0, plain, sizeof( plain ), cipher, authTag ); + wc_ChaCha20Poly1305_Encrypt(key, iv, NULL, 0, plain, sizeof(plain), + cipher, authTag ); } - + END_INTEL_CYCLES total = current_time(0) - start; persec = 1 / total * numBlocks; @@ -800,11 +801,12 @@ void bench_chacha20_poly1305_aead(void) /* since using kB, convert to MB/s */ persec = persec / 1024; #endif - - printf("ChaCha20-Poly1305 AEAD %d %s took %5.3f seconds, %7.3f MB/s", numBlocks, blockType, total, persec); + + printf("ChaCha-Poly %d %s took %5.3f seconds, %7.3f MB/s", + numBlocks, blockType, total, persec); SHOW_INTEL_CYCLES printf("\n"); - + } #endif /* HAVE_CHACHA && HAVE_POLY1305 */ diff --git a/wolfcrypt/src/chacha20_poly1305.c b/wolfcrypt/src/chacha20_poly1305.c index ea164fd16..8c098dc73 100644 --- a/wolfcrypt/src/chacha20_poly1305.c +++ b/wolfcrypt/src/chacha20_poly1305.c @@ -21,12 +21,12 @@ #ifdef HAVE_CONFIG_H -#include + #include #endif #include -#if( defined( HAVE_CHACHA ) && defined( HAVE_POLY1305 ) ) +#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) #include #include @@ -47,235 +47,242 @@ #define CHACHA20_POLY1305_AEAD_INITIAL_COUNTER 0 #define CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT 16 -static void _word32ToLittle64( const word32 inLittle32, byte outLittle64[8] ); -static int _calculateAuthTag( const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZE], - const byte* inAAD, const word32 inAADLen, - const byte *inCiphertext, const word32 inCiphertextLen, - byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE] ); -static int constantTimeCompare( const byte *a, const byte *b, word32 len ); +static void word32ToLittle64(const word32 inLittle32, byte outLittle64[8]); +static int calculateAuthTag( + const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZE], + const byte* inAAD, const word32 inAADLen, + const byte *inCiphertext, const word32 inCiphertextLen, + byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]); +static int constantTimeCompare(const byte *a, const byte *b, word32 len); -WOLFSSL_API int wc_ChaCha20Poly1305_Encrypt( const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], - const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], - const byte *inAAD, const word32 inAADLen, - const byte *inPlaintext, const word32 inPlaintextLen, - byte *outCiphertext, - byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE] ) +int wc_ChaCha20Poly1305_Encrypt( + const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], + const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], + const byte* inAAD, const word32 inAADLen, + const byte* inPlaintext, const word32 inPlaintextLen, + byte* outCiphertext, + byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]) { int err; byte poly1305Key[CHACHA20_POLY1305_AEAD_KEYSIZE]; ChaCha chaChaCtx; - - // Validate function arguments - - if( !inKey || !inIV || + + /* Validate function arguments */ + + if (!inKey || !inIV || !inPlaintext || !inPlaintextLen || !outCiphertext || - !outAuthTag ) + !outAuthTag) { return BAD_FUNC_ARG; } - - ForceZero( poly1305Key, sizeof( poly1305Key ) ); - - err = 0; - - // Create the Poly1305 key - - err += wc_Chacha_SetKey( &chaChaCtx, inKey, CHACHA20_POLY1305_AEAD_KEYSIZE ); - err += wc_Chacha_SetIV( &chaChaCtx, inIV, CHACHA20_POLY1305_AEAD_INITIAL_COUNTER ); - err += wc_Chacha_Process( &chaChaCtx, poly1305Key, poly1305Key, CHACHA20_POLY1305_AEAD_KEYSIZE ); - if( err ) - { - return err; - } - - // Encrypt the plaintext using ChaCha20 - - err = wc_Chacha_Process( &chaChaCtx, outCiphertext, inPlaintext, inPlaintextLen ); - if( err ) - { - return err; - } - - // Calculate the Poly1305 auth tag - - err = _calculateAuthTag( poly1305Key, - inAAD, inAADLen, - outCiphertext, inPlaintextLen, - outAuthTag ); - + + XMEMSET(poly1305Key, 0, sizeof(poly1305Key)); + + /* Create the Poly1305 key */ + err = wc_Chacha_SetKey(&chaChaCtx, inKey, CHACHA20_POLY1305_AEAD_KEYSIZE); + if (err != 0) return err; + + err = wc_Chacha_SetIV(&chaChaCtx, inIV, + CHACHA20_POLY1305_AEAD_INITIAL_COUNTER); + if (err != 0) return err; + + err = wc_Chacha_Process(&chaChaCtx, poly1305Key, poly1305Key, + CHACHA20_POLY1305_AEAD_KEYSIZE); + if (err != 0) return err; + + /* Encrypt the plaintext using ChaCha20 */ + err = wc_Chacha_Process(&chaChaCtx, outCiphertext, inPlaintext, + inPlaintextLen); + /* Calculate the Poly1305 auth tag */ + if (err == 0) + err = calculateAuthTag(poly1305Key, + inAAD, inAADLen, + outCiphertext, inPlaintextLen, + outAuthTag); + ForceZero(poly1305Key, sizeof(poly1305Key)); + return err; } -WOLFSSL_API int wc_ChaCha20Poly1305_Decrypt( const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], - const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], - const byte *inAAD, const word32 inAADLen, - const byte *inCiphertext, const word32 inCiphertextLen, - const byte inAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE], - byte* outPlaintext ) + +int wc_ChaCha20Poly1305_Decrypt( + const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], + const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], + const byte* inAAD, const word32 inAADLen, + const byte* inCiphertext, const word32 inCiphertextLen, + const byte inAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE], + byte* outPlaintext) { int err; byte poly1305Key[CHACHA20_POLY1305_AEAD_KEYSIZE]; ChaCha chaChaCtx; byte calculatedAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]; - - // Validate function arguments - - if( !inKey || !inIV || + + /* Validate function arguments */ + + if (!inKey || !inIV || !inCiphertext || !inCiphertextLen || !inAuthTag || - !outPlaintext ) + !outPlaintext) { return BAD_FUNC_ARG; } - - ForceZero( calculatedAuthTag, sizeof( calculatedAuthTag ) ); - ForceZero( poly1305Key, sizeof( poly1305Key ) ); - - err = 0; - - // Create the Poly1305 key - - err += wc_Chacha_SetKey( &chaChaCtx, inKey, CHACHA20_POLY1305_AEAD_KEYSIZE ); - err += wc_Chacha_SetIV( &chaChaCtx, inIV, CHACHA20_POLY1305_AEAD_INITIAL_COUNTER ); - err += wc_Chacha_Process( &chaChaCtx, poly1305Key, poly1305Key, CHACHA20_POLY1305_AEAD_KEYSIZE ); - if( err ) + + XMEMSET(calculatedAuthTag, 0, sizeof(calculatedAuthTag)); + XMEMSET(poly1305Key, 0, sizeof(poly1305Key)); + + /* Create the Poly1305 key */ + err = wc_Chacha_SetKey(&chaChaCtx, inKey, CHACHA20_POLY1305_AEAD_KEYSIZE); + if (err != 0) return err; + + err = wc_Chacha_SetIV(&chaChaCtx, inIV, + CHACHA20_POLY1305_AEAD_INITIAL_COUNTER); + if (err != 0) return err; + + err = wc_Chacha_Process(&chaChaCtx, poly1305Key, poly1305Key, + CHACHA20_POLY1305_AEAD_KEYSIZE); + if (err != 0) return err; + + /* Calculate the Poly1305 auth tag */ + err = calculateAuthTag(poly1305Key, + inAAD, inAADLen, + inCiphertext, inCiphertextLen, + calculatedAuthTag); + + /* Compare the calculated auth tag with the received one */ + if (err == 0 && constantTimeCompare(inAuthTag, calculatedAuthTag, + CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE) != 0) { - return err; + err = MAC_CMP_FAILED_E; } - - // Calculate the Poly1305 auth tag - - err = _calculateAuthTag( poly1305Key, - inAAD, inAADLen, - inCiphertext, inCiphertextLen, - calculatedAuthTag ); - - // Compare the calculated auth tag with the received one - - if( constantTimeCompare( inAuthTag, calculatedAuthTag, CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE ) ) - { - return MAC_CMP_FAILED_E; - } - - // Decrypt the received ciphertext - - err = wc_Chacha_Process( &chaChaCtx, outPlaintext, inCiphertext, inCiphertextLen ); - + + /* Decrypt the received ciphertext */ + if (err == 0) + err = wc_Chacha_Process(&chaChaCtx, outPlaintext, inCiphertext, + inCiphertextLen); + ForceZero(poly1305Key, sizeof(poly1305Key)); + return err; } -static int _calculateAuthTag( const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZE], - const byte *inAAD, const word32 inAADLen, - const byte *inCiphertext, const word32 inCiphertextLen, - byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE] ) + +static int calculateAuthTag( + const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZE], + const byte *inAAD, const word32 inAADLen, + const byte *inCiphertext, const word32 inCiphertextLen, + byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]) { int err; Poly1305 poly1305Ctx; byte padding[CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1]; word32 paddingLen; byte little64[8]; - - ForceZero( padding, sizeof( padding ) ); + + XMEMSET(padding, 0, sizeof(padding)); paddingLen = 0; - - // Initialize Poly1305 - - err = wc_Poly1305SetKey( &poly1305Ctx, inAuthKey, CHACHA20_POLY1305_AEAD_KEYSIZE ); - if( err ) + + /* Initialize Poly1305 */ + + err = wc_Poly1305SetKey(&poly1305Ctx, inAuthKey, + CHACHA20_POLY1305_AEAD_KEYSIZE); + if (err) { return err; } - - // Create the authTag by MAC'ing the following items: - - // -- AAD - - if( inAAD && inAADLen ) + + /* Create the authTag by MAC'ing the following items: */ + + /* -- AAD */ + + if (inAAD && inAADLen) { - err = wc_Poly1305Update( &poly1305Ctx, inAAD, inAADLen ); - - // -- padding1: pad the AAD to 16 bytes - - paddingLen = -inAADLen & ( CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1 ); - if( paddingLen ) + err = wc_Poly1305Update(&poly1305Ctx, inAAD, inAADLen); + + /* -- padding1: pad the AAD to 16 bytes */ + + paddingLen = -inAADLen & (CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1); + if (paddingLen) { - err += wc_Poly1305Update( &poly1305Ctx, padding, paddingLen ); + err += wc_Poly1305Update(&poly1305Ctx, padding, paddingLen); } - - if( err ) + + if (err) { return err; } } - - // -- Ciphertext - - err = wc_Poly1305Update( &poly1305Ctx, inCiphertext, inCiphertextLen ); - if( err ) + + /* -- Ciphertext */ + + err = wc_Poly1305Update(&poly1305Ctx, inCiphertext, inCiphertextLen); + if (err) { return err; } - - // -- padding2: pad the ciphertext to 16 bytes - - paddingLen = -inCiphertextLen & ( CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1 ); - if( paddingLen ) + + /* -- padding2: pad the ciphertext to 16 bytes */ + + paddingLen = -inCiphertextLen & + (CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1); + if (paddingLen) { - err = wc_Poly1305Update( &poly1305Ctx, padding, paddingLen ); - if( err ) + err = wc_Poly1305Update(&poly1305Ctx, padding, paddingLen); + if (err) { return err; } } - - // -- AAD length as a 64-bit little endian integer - - _word32ToLittle64( inAADLen, little64 ); - - err = wc_Poly1305Update( &poly1305Ctx, little64, sizeof( little64 ) ); - if( err ) + + /* -- AAD length as a 64-bit little endian integer */ + + word32ToLittle64(inAADLen, little64); + + err = wc_Poly1305Update(&poly1305Ctx, little64, sizeof(little64)); + if (err) { return err; } - - // -- Ciphertext length as a 64-bit little endian integer - - _word32ToLittle64( inCiphertextLen, little64 ); - - err = wc_Poly1305Update( &poly1305Ctx, little64, sizeof( little64 ) ); - if( err ) + + /* -- Ciphertext length as a 64-bit little endian integer */ + + word32ToLittle64(inCiphertextLen, little64); + + err = wc_Poly1305Update(&poly1305Ctx, little64, sizeof(little64)); + if (err) { return err; } - - // Finalize the auth tag - - err = wc_Poly1305Final( &poly1305Ctx, outAuthTag ); - + + /* Finalize the auth tag */ + + err = wc_Poly1305Final(&poly1305Ctx, outAuthTag); + return err; } -static void _word32ToLittle64( const word32 inLittle32, byte outLittle64[8] ) + +static void word32ToLittle64(const word32 inLittle32, byte outLittle64[8]) { - ForceZero( outLittle64, 8 ); - - outLittle64[0] = ( inLittle32 & 0x000000FF ); - outLittle64[1] = ( inLittle32 & 0x0000FF00 ) >> 8; - outLittle64[2] = ( inLittle32 & 0x00FF0000 ) >> 16; - outLittle64[3] = ( inLittle32 & 0xFF000000 ) >> 24; + XMEMSET(outLittle64, 0, 8); + + outLittle64[0] = (inLittle32 & 0x000000FF); + outLittle64[1] = (inLittle32 & 0x0000FF00) >> 8; + outLittle64[2] = (inLittle32 & 0x00FF0000) >> 16; + outLittle64[3] = (inLittle32 & 0xFF000000) >> 24; } -static int constantTimeCompare( const byte *a, const byte *b, word32 len ) + +static int constantTimeCompare(const byte *a, const byte *b, word32 len) { word32 i; byte result = 0; - - for( i = 0; i < len; i++ ) + + for (i = 0; i < len; i++) { result |= a[i] ^ b[i]; } - + return (int)result; } diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index 8c843a16c..48da1ba40 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -316,6 +316,9 @@ const char* wc_GetErrorString(int error) case THREAD_STORE_SET_E: return "Thread Storage Set error"; + case MAC_CMP_FAILED_E: + return "MAC comparison failed"; + default: return "unknown error number"; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index aadf0256b..b3788034c 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -2074,12 +2074,12 @@ int poly1305_test(void) #endif /* HAVE_POLY1305 */ -#if(defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) +#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) int chacha20_poly1305_aead_test(void) { - // Test #1 from Section 2.8.2 of draft-irtf-cfrg-chacha20-poly1305-10 - // https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10 - + /* Test #1 from Section 2.8.2 of draft-irtf-cfrg-chacha20-poly1305-10 */ + /* https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10 */ + const byte key1[] = { 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, @@ -2132,22 +2132,22 @@ int chacha20_poly1305_aead_test(void) 0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b, 0x61, 0x16 }; - + const byte authTag1[] = { /* expected output from operation */ 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a, 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91 }; - - // Test #2 from Appendix A.2 in draft-irtf-cfrg-chacha20-poly1305-10 - // https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10 - + + /* Test #2 from Appendix A.2 in draft-irtf-cfrg-chacha20-poly1305-10 */ + /* https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10 */ + const byte key2[] = { 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a, 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0, 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09, 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0 }; - + const byte plaintext2[] = { 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20, @@ -2178,23 +2178,23 @@ int chacha20_poly1305_aead_test(void) 0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20, 0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65, 0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20, - 0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20, + 0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20, 0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b, - 0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67, + 0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80, 0x9d }; - + const byte iv2[] = { 0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 }; - + const byte aad2[] = { /* additional data */ 0xf3, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4e, 0x91 }; - + const byte cipher2[] = { /* expected output from operation */ 0x64, 0xa0, 0x86, 0x15, 0x75, 0x86, 0x1a, 0xf4, 0x60, 0xf0, 0x62, 0xc7, 0x9b, 0xe6, 0x43, 0xbd, @@ -2231,103 +2231,103 @@ int chacha20_poly1305_aead_test(void) 0xa6, 0xad, 0x5c, 0xb4, 0x02, 0x2b, 0x02, 0x70, 0x9b }; - + const byte authTag2[] = { /* expected output from operation */ 0xee, 0xad, 0x9d, 0x67, 0x89, 0x0c, 0xbb, 0x22, 0x39, 0x23, 0x36, 0xfe, 0xa1, 0x85, 0x1f, 0x38 }; - + byte generatedCiphertext[272]; byte generatedPlaintext[272]; byte generatedAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]; int err; - - XMEMSET( generatedCiphertext, 0, sizeof( generatedCiphertext ) ); - XMEMSET( generatedAuthTag, 0, sizeof( generatedAuthTag ) ); - XMEMSET( generatedPlaintext, 0, sizeof( generatedPlaintext ) ); - - // Test #1 - - err = wc_ChaCha20Poly1305_Encrypt( key1, iv1, - aad1, sizeof( aad1 ), - plaintext1, sizeof( plaintext1 ), - generatedCiphertext, generatedAuthTag ); - if( err ) + + XMEMSET(generatedCiphertext, 0, sizeof(generatedCiphertext)); + XMEMSET(generatedAuthTag, 0, sizeof(generatedAuthTag)); + XMEMSET(generatedPlaintext, 0, sizeof(generatedPlaintext)); + + /* Test #1 */ + + err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, + aad1, sizeof(aad1), + plaintext1, sizeof(plaintext1), + generatedCiphertext, generatedAuthTag); + if (err) { return err; } - - // -- Check the ciphertext and authtag - - if( XMEMCMP( generatedCiphertext, cipher1, sizeof( cipher1 ) ) ) + + /* -- Check the ciphertext and authtag */ + + if (XMEMCMP(generatedCiphertext, cipher1, sizeof(cipher1))) { return -1064; } - - if( XMEMCMP( generatedAuthTag, authTag1, sizeof( authTag1 ) ) ) + + if (XMEMCMP(generatedAuthTag, authTag1, sizeof(authTag1))) { return -1065; } - - // -- Verify decryption works - - err = wc_ChaCha20Poly1305_Decrypt( key1, iv1, - aad1, sizeof( aad1 ), - cipher1, sizeof( cipher1 ), - authTag1, generatedPlaintext ); - if( err ) + + /* -- Verify decryption works */ + + err = wc_ChaCha20Poly1305_Decrypt(key1, iv1, + aad1, sizeof(aad1), + cipher1, sizeof(cipher1), + authTag1, generatedPlaintext); + if (err) { return err; } - - if( XMEMCMP( generatedPlaintext, plaintext1, sizeof( plaintext1 ) ) ) + + if (XMEMCMP(generatedPlaintext, plaintext1, sizeof( plaintext1))) { return -1066; } - - XMEMSET( generatedCiphertext, 0, sizeof( generatedCiphertext ) ); - XMEMSET( generatedAuthTag, 0, sizeof( generatedAuthTag ) ); - XMEMSET( generatedPlaintext, 0, sizeof( generatedPlaintext ) ); - - // Test #2 - - err = wc_ChaCha20Poly1305_Encrypt( key2, iv2, - aad2, sizeof( aad2 ), - plaintext2, sizeof( plaintext2 ), - generatedCiphertext, generatedAuthTag ); - if( err ) + + XMEMSET(generatedCiphertext, 0, sizeof(generatedCiphertext)); + XMEMSET(generatedAuthTag, 0, sizeof(generatedAuthTag)); + XMEMSET(generatedPlaintext, 0, sizeof(generatedPlaintext)); + + /* Test #2 */ + + err = wc_ChaCha20Poly1305_Encrypt(key2, iv2, + aad2, sizeof(aad2), + plaintext2, sizeof(plaintext2), + generatedCiphertext, generatedAuthTag); + if (err) { return err; } - - // -- Check the ciphertext and authtag - - if( XMEMCMP( generatedCiphertext, cipher2, sizeof( cipher2 ) ) ) + + /* -- Check the ciphertext and authtag */ + + if (XMEMCMP(generatedCiphertext, cipher2, sizeof(cipher2))) { return -1067; } - - if( XMEMCMP( generatedAuthTag, authTag2, sizeof( authTag2 ) ) ) + + if (XMEMCMP(generatedAuthTag, authTag2, sizeof(authTag2))) { return -1068; } - - // -- Verify decryption works - - err = wc_ChaCha20Poly1305_Decrypt( key2, iv2, - aad2, sizeof( aad2 ), - cipher2, sizeof( cipher2 ), - authTag2, generatedPlaintext ); - if( err ) + + /* -- Verify decryption works */ + + err = wc_ChaCha20Poly1305_Decrypt(key2, iv2, + aad2, sizeof(aad2), + cipher2, sizeof(cipher2), + authTag2, generatedPlaintext); + if (err) { return err; } - - if( XMEMCMP( generatedPlaintext, plaintext2, sizeof( plaintext2 ) ) ) + + if (XMEMCMP(generatedPlaintext, plaintext2, sizeof(plaintext2))) { return -1069; } - + return err; } #endif /* HAVE_CHACHA && HAVE_POLY1305 */ diff --git a/wolfssl/version.h b/wolfssl/version.h index 414af9bd1..6a6e237b8 100644 --- a/wolfssl/version.h +++ b/wolfssl/version.h @@ -26,8 +26,8 @@ extern "C" { #endif -#define LIBWOLFSSL_VERSION_STRING "3.4.0" -#define LIBWOLFSSL_VERSION_HEX 0x03004000 +#define LIBWOLFSSL_VERSION_STRING "3.4.1" +#define LIBWOLFSSL_VERSION_HEX 0x03004001 #ifdef __cplusplus } diff --git a/wolfssl/wolfcrypt/chacha20_poly1305.h b/wolfssl/wolfcrypt/chacha20_poly1305.h index fdb902fc5..8b7e477e5 100644 --- a/wolfssl/wolfcrypt/chacha20_poly1305.h +++ b/wolfssl/wolfcrypt/chacha20_poly1305.h @@ -17,13 +17,14 @@ * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA - * - * This implementation of the ChaCha20-Poly1305 AEAD is based on "ChaCha20 + */ + +/* This implementation of the ChaCha20-Poly1305 AEAD is based on "ChaCha20 * and Poly1305 for IETF protocols" (draft-irtf-cfrg-chacha20-poly1305-10): * https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10 */ -#if( defined( HAVE_CHACHA ) && defined( HAVE_POLY1305 ) ) +#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) #ifndef WOLF_CRYPT_CHACHA20_POLY1305_H #define WOLF_CRYPT_CHACHA20_POLY1305_H @@ -31,18 +32,18 @@ #include #ifdef __cplusplus -extern "C" { + extern "C" { #endif - + #define CHACHA20_POLY1305_AEAD_KEYSIZE 32 #define CHACHA20_POLY1305_AEAD_IV_SIZE 12 #define CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE 16 - - enum { - CHACHA20_POLY_1305_ENC_TYPE = 8 /* cipher unique type */ - }; - - /* + +enum { + CHACHA20_POLY_1305_ENC_TYPE = 8 /* cipher unique type */ +}; + + /* * The IV for this implementation is 96 bits to give the most flexibility. * * Some protocols may have unique per-invocation inputs that are not @@ -51,24 +52,28 @@ extern "C" { * transform the protocol nonce into a 96-bit nonce, for example by * concatenating a constant value. */ - - WOLFSSL_API int wc_ChaCha20Poly1305_Encrypt(const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], - const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], - const byte* inAAD, const word32 inAADLen, - const byte* inPlaintext, const word32 inPlaintextLen, - byte* outCiphertext, - byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]); - - WOLFSSL_API int wc_ChaCha20Poly1305_Decrypt(const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], - const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], - const byte* inAAD, const word32 inAADLen, - const byte* inCiphertext, const word32 inCiphertextLen, - const byte inAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE], - byte* outPlaintext); - + +WOLFSSL_API +int wc_ChaCha20Poly1305_Encrypt( + const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], + const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], + const byte* inAAD, const word32 inAADLen, + const byte* inPlaintext, const word32 inPlaintextLen, + byte* outCiphertext, + byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]); + +WOLFSSL_API +int wc_ChaCha20Poly1305_Decrypt( + const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], + const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], + const byte* inAAD, const word32 inAADLen, + const byte* inCiphertext, const word32 inCiphertextLen, + const byte inAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE], + byte* outPlaintext); + #ifdef __cplusplus -} /* extern "C" */ + } /* extern "C" */ #endif #endif /* WOLF_CRYPT_CHACHA20_POLY1305_H */ -#endif /* HAVE_CHACHA && HAVE_POLY1305 */ \ No newline at end of file +#endif /* HAVE_CHACHA && HAVE_POLY1305 */ diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index 67291ec58..e172e6aec 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -145,9 +145,9 @@ enum { AESGCM_KAT_FIPS_E = -210, /* AESGCM KAT failure */ THREAD_STORE_KEY_E = -211, /* Thread local storage key create failure */ THREAD_STORE_SET_E = -212, /* Thread local storage key set failure */ - + MAC_CMP_FAILED_E = -213, /* MAC comparison failed */ - + MIN_CODE_E = -300 /* errors -101 - -299 */ }; diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index c05f0a46a..d82d85134 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -32,6 +32,7 @@ nobase_include_HEADERS+= \ wolfssl/wolfcrypt/pwdbased.h \ wolfssl/wolfcrypt/rabbit.h \ wolfssl/wolfcrypt/chacha.h \ + wolfssl/wolfcrypt/chacha20_poly1305.h \ wolfssl/wolfcrypt/random.h \ wolfssl/wolfcrypt/ripemd.h \ wolfssl/wolfcrypt/rsa.h \