Added documentation and benchmarks.

wolfcrypt/benchmark/benchmark.c

@@ -43,6 +43,7 @@
 #include <wolfssl/wolfcrypt/hc128.h>
 #include <wolfssl/wolfcrypt/rabbit.h>
 #include <wolfssl/wolfcrypt/chacha.h>
+#include <wolfssl/wolfcrypt/chacha20_poly1305.h>
 #include <wolfssl/wolfcrypt/aes.h>
 #include <wolfssl/wolfcrypt/poly1305.h>
 #include <wolfssl/wolfcrypt/camellia.h>
@@ -116,6 +117,7 @@ void bench_arc4(void);
 void bench_hc128(void);
 void bench_rabbit(void);
 void bench_chacha(void);
+void bench_chacha20_poly1305_aead(void);
 void bench_aes(int);
 void bench_aesgcm(void);
 void bench_aesccm(void);
@@ -295,6 +297,9 @@ int benchmark_test(void *args)
 #ifdef HAVE_POLY1305
     bench_poly1305();
 #endif
+#if( defined( HAVE_CHACHA ) && defined( HAVE_POLY1305 ) )
+    bench_chacha20_poly1305_aead();
+#endif
 #ifndef NO_SHA
     bench_sha();
 #endif
@@ -770,6 +775,38 @@ void bench_chacha(void)
 
 }
 #endif /* HAVE_CHACHA*/
+    
+#if( defined( HAVE_CHACHA ) && defined( HAVE_POLY1305 ) )
+void bench_chacha20_poly1305_aead(void)
+{
+    double start, total, persec;
+    int    i;
+    
+    byte authTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE];
+    XMEMSET( authTag, 0, sizeof( authTag ) );
+    
+    start = current_time(1);
+    BEGIN_INTEL_CYCLES
+    
+    for (i = 0; i < numBlocks; i++)
+    {
+        wc_ChaCha20Poly1305_Encrypt( key, iv, NULL, 0, plain, sizeof( plain ), cipher, authTag );
+    }
+    
+    END_INTEL_CYCLES
+    total = current_time(0) - start;
+    persec = 1 / total * numBlocks;
+#ifdef BENCH_EMBEDDED
+    /* since using kB, convert to MB/s */
+    persec = persec / 1024;
+#endif
+    
+    printf("ChaCha20-Poly1305 AEAD   %d %s took %5.3f seconds, %7.3f MB/s", numBlocks, blockType, total, persec);
+    SHOW_INTEL_CYCLES
+    printf("\n");
+    
+}
+#endif /* HAVE_CHACHA && HAVE_POLY1305 */
 
 
 #ifndef NO_MD5

wolfcrypt/src/chacha20_poly1305.c

@@ -223,11 +223,10 @@ static int _calculateAuthTag( const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZ
     if( paddingLen )
     {
         err = wc_Poly1305Update( &poly1305Ctx, padding, paddingLen );
-    }
-    
-    if( err )
-    {
-        return err;
+        if( err )
+        {
+            return err;
+        }
     }
     
     // -- AAD length as a 64-bit little endian integer

wolfcrypt/test/test.c

@@ -163,7 +163,7 @@ int  arc4_test(void);
 int  hc128_test(void);
 int  rabbit_test(void);
 int  chacha_test(void);
-int  chacha_poly_test(void);
+int  chacha20_poly1305_aead_test(void);
 int  des_test(void);
 int  des3_test(void);
 int  aes_test(void);
@@ -416,10 +416,10 @@ int wolfcrypt_test(void* args)
 #endif
 
 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
-    if ( (ret = chacha_poly_test()) != 0)
-        return err_sys("CHACHA-POLY AEAD test failed!\n", ret);
+    if ( (ret = chacha20_poly1305_aead_test()) != 0)
+        return err_sys("ChaCha20-Poly1305 AEAD test failed!\n", ret);
     else
-        printf( "ChachaAEAD test passed!\n");
+        printf( "ChaCha20-Poly1305 AEAD test passed!\n");
 #endif
 
 #ifndef NO_DES3
@@ -2074,11 +2074,11 @@ int poly1305_test(void)
 #endif /* HAVE_POLY1305 */
 
 
-#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
-int chacha_poly_test(void)
+#if(defined(HAVE_CHACHA) && defined(HAVE_POLY1305))
+int chacha20_poly1305_aead_test(void)
 {
-    // Test #1 from Section 2.8.2 of
-    // https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305
+    // Test #1 from Section 2.8.2 of draft-irtf-cfrg-chacha20-poly1305-10
+    // https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10
     
     const byte key1[] = {
         0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
@@ -2138,8 +2138,8 @@ int chacha_poly_test(void)
         0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
     };
     
-    // Test #2 from Appendix A.2 in
-    // https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305
+    // Test #2 from Appendix A.2 in draft-irtf-cfrg-chacha20-poly1305-10
+    // https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10
     
     const byte key2[] = {
         0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,

wolfssl/wolfcrypt/chacha20_poly1305.h

@@ -17,6 +17,10 @@
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ *
+ * This implementation of the ChaCha20-Poly1305 AEAD is based on "ChaCha20 
+ * and Poly1305 for IETF protocols" (draft-irtf-cfrg-chacha20-poly1305-10):
+ * https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10
  */
 
 #if( defined( HAVE_CHACHA ) && defined( HAVE_POLY1305 ) )
@@ -38,6 +42,16 @@ extern "C" {
         CHACHA20_POLY_1305_ENC_TYPE = 8    /* cipher unique type */
     };
     
+    /* 
+     * The IV for this implementation is 96 bits to give the most flexibility.
+     *
+     * Some protocols may have unique per-invocation inputs that are not
+     * 96-bit in length. For example, IPsec may specify a 64-bit nonce. In
+     * such a case, it is up to the protocol document to define how to
+     * transform the protocol nonce into a 96-bit nonce, for example by
+     * concatenating a constant value.
+     */
+    
     WOLFSSL_API int wc_ChaCha20Poly1305_Encrypt(const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
                                                 const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE],
                                                 const byte* inAAD, const word32 inAADLen,