From 14d3554ff5cd2b16ab1505144f9d094fb0f1c59f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 10 Mar 2022 18:36:37 +0100 Subject: [PATCH 1/3] ChaCha20 (PSA): Document that we only support 12-byte nonces Support for 8-byte nonces may be added in the future: https://github.com/ARMmbed/mbedtls/issues/5615 Support for a 16-byte IV for ChaCha20 consisting of a 12-byte nonce and a 4-byte initial counter value may be added in the future: https://github.com/ARMmbed/mbedtls/issues/5616 Signed-off-by: Gilles Peskine --- include/psa/crypto_values.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 5a903f86a..a81a014e4 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -489,8 +489,12 @@ * * ChaCha20 and the ChaCha20_Poly1305 construction are defined in RFC 7539. * - * Implementations must support 12-byte nonces, may support 8-byte nonces, - * and should reject other sizes. + * \note For ChaCha20 and ChaCha20_Poly1305, Mbed TLS only supports + * 12-byte nonces. + * + * \note For ChaCha20, the initial counter value is 0. To encrypt or decrypt + * with the initial counter value 1, you can process and discard a + * 64-byte block before the real data. */ #define PSA_KEY_TYPE_CHACHA20 ((psa_key_type_t)0x2004) From fc47641e366fc3f3b8f72e7a9a2794ffeb432cb4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 10 Mar 2022 18:48:14 +0100 Subject: [PATCH 2/3] Add RFC 7539 test vector for ChaCha20 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The PSA Crypto API uses 0 as the initial counter value, but the test vector in RFC 7539 uses 1. So the unit tests here include an extra leading block. The expected data for this leading block was calculated with Cryptodome. #!/usr/bin/env python3 import re from Cryptodome.Cipher import ChaCha20 key = bytes.fromhex('000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f') nonce = bytes.fromhex('000000000000004a00000000') encrypt = lambda pt: ChaCha20.new(key=key, nonce=nonce).encrypt(pt) # Cryptodome uses counter=0, like PSA Crypto. Prepend a 64-byte input block #0 # so that the plaintext from RFC 7539 starts exactly at block #1. header = b'The RFC 7539 test vector uses counter=1, but PSA uses counter=0.' assert(len(header) == 64) sunscreen = b"Ladies and Gentlemen of the class of '99: If I could offer you only one tip for the future, sunscreen would be it." plaintext = header + sunscreen zeros = b'\x00' * len(plaintext) keystream = encrypt(zeros) ciphertext = encrypt(plaintext) print('RFC 7539 §2.4.2') print('Keystream:') print(re.sub(r'(..)', r'\1:', keystream[64:].hex())) print('Ciphertext Subscreen:') print(re.sub(r'(..)', r'\1 ', ciphertext[64:].hex())) print('') print(f"""\ PSA symmetric decrypt: ChaCha20, RFC7539 keystream depends_on:PSA_WANT_ALG_STREAM_CIPHER:PSA_WANT_KEY_TYPE_CHACHA20 # Keystream from RFC 7539 §2.4.2, with an extra 64-byte output block prepended # because the test vector starts at counter=1 but our API starts at counter=0. cipher_decrypt:PSA_ALG_STREAM_CIPHER:PSA_KEY_TYPE_CHACHA20:"{key.hex()}":"{nonce.hex()}":"{zeros.hex()}":"{keystream.hex()}" PSA symmetric decrypt: ChaCha20, RFC7539 sunscreen depends_on:PSA_WANT_ALG_STREAM_CIPHER:PSA_WANT_KEY_TYPE_CHACHA20 # Test vector from RFC 7539 §2.4.2, with an extra 64-byte block prepended # because the test vector starts at counter=1 but our API starts at counter=0. cipher_decrypt:PSA_ALG_STREAM_CIPHER:PSA_KEY_TYPE_CHACHA20:"{key.hex()}":"{nonce.hex()}":"{ciphertext.hex()}":"{plaintext.hex()}" """) Signed-off-by: Gilles Peskine --- tests/suites/test_suite_psa_crypto.data | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 458860fca..96875d5b3 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -2315,6 +2315,18 @@ PSA symmetric decrypt: CCM*-no-tag, NIST DVPT AES-128 #15 depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES cipher_decrypt:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697" +PSA symmetric decrypt: ChaCha20, RFC7539 keystream +depends_on:PSA_WANT_ALG_STREAM_CIPHER:PSA_WANT_KEY_TYPE_CHACHA20 +# Keystream from RFC 7539 §2.4.2, with an extra 64-byte output block prepended +# because the test vector starts at counter=1 but our API starts at counter=0. +cipher_decrypt:PSA_ALG_STREAM_CIPHER:PSA_KEY_TYPE_CHACHA20:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"000000000000004a00000000":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":"af051e40bba0354981329a806a140eafd258a22a6dcb4bb9f6569cb3efe2deaf837bd87ca20b5ba12081a306af0eb35c41a239d20dfc74c81771560d9c9c1e4b224f51f3401bd9e12fde276fb8631ded8c131f823d2c06e27e4fcaec9ef3cf788a3b0aa372600a92b57974cded2b9334794cba40c63e34cdea212c4cf07d41b769a6749f3f630f4122cafe28ec4dc47e26d4346d70b98c73f3e9c53ac40c5945398b6eda1a832c89c167eacd901d7e2bf363" + +PSA symmetric decrypt: ChaCha20, RFC7539 sunscreen +depends_on:PSA_WANT_ALG_STREAM_CIPHER:PSA_WANT_KEY_TYPE_CHACHA20 +# Test vector from RFC 7539 §2.4.2, with an extra 64-byte block prepended +# because the test vector starts at counter=1 but our API starts at counter=0. +cipher_decrypt:PSA_ALG_STREAM_CIPHER:PSA_KEY_TYPE_CHACHA20:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"000000000000004a00000000":"fb6d7b60e9e67669b607a9b94a606bdca678d44f0ebf24cbd623efd69cc2bdc0f615ac19d0366a8d00e3d6728f5ee01d61d74ab77edc17a7621f2268eea12e656e2e359a2568f98041ba0728dd0d6981e97e7aec1d4360c20a27afccfd9fae0bf91b65c5524733ab8f593dabcd62b3571639d624e65152ab8f530c359f0861d807ca0dbf500d6a6156a38e088a22b65e52bc514d16ccf806818ce91ab77937365af90bbf74a35be6b40b8eedf2785e42874d":"546865205246432037353339207465737420766563746f72207573657320636f756e7465723d312c2062757420505341207573657320636f756e7465723d302e4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e" + PSA symmetric decrypt multipart: AES-ECB, 0 bytes, good depends_on:PSA_WANT_ALG_ECB_NO_PADDING:PSA_WANT_KEY_TYPE_AES cipher_decrypt_multipart:PSA_ALG_ECB_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"":"":0:0:0:"":PSA_SUCCESS @@ -2611,6 +2623,12 @@ PSA symmetric encryption multipart: ChaCha20, 14+50 bytes depends_on:PSA_WANT_ALG_STREAM_CIPHER:PSA_WANT_KEY_TYPE_CHACHA20 cipher_encrypt_multipart:PSA_ALG_STREAM_CIPHER:PSA_KEY_TYPE_CHACHA20:"4bddc98c551a95395ef719557f813656b566bc45aac04eca3866324cc75489f2":"a170d9349d24955aa4501891":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":14:14:50:"9ba7d8de0c6b579fc436e368619e09228070d23246c836d6c6b4c476af6f5eb2b78fbe809d03f7881e6af28cfe3746e8dcf1eb7f762fe7d003141f1539a6cec4":PSA_SUCCESS +PSA symmetric encryption multipart: ChaCha20, RFC7539 sunscreen +depends_on:PSA_WANT_ALG_STREAM_CIPHER:PSA_WANT_KEY_TYPE_CHACHA20 +# Test vector from RFC 7539 §2.4.2, with an extra 64-byte block prepended +# because the test vector starts at counter=1 but our API starts at counter=0. +cipher_encrypt_multipart:PSA_ALG_STREAM_CIPHER:PSA_KEY_TYPE_CHACHA20:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"000000000000004a00000000":"546865205246432037353339207465737420766563746f72207573657320636f756e7465723d312c2062757420505341207573657320636f756e7465723d302e4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":64:64:114:"fb6d7b60e9e67669b607a9b94a606bdca678d44f0ebf24cbd623efd69cc2bdc0f615ac19d0366a8d00e3d6728f5ee01d61d74ab77edc17a7621f2268eea12e656e2e359a2568f98041ba0728dd0d6981e97e7aec1d4360c20a27afccfd9fae0bf91b65c5524733ab8f593dabcd62b3571639d624e65152ab8f530c359f0861d807ca0dbf500d6a6156a38e088a22b65e52bc514d16ccf806818ce91ab77937365af90bbf74a35be6b40b8eedf2785e42874d":PSA_SUCCESS + PSA symmetric decrypt multipart: ChaCha20, K=rand N=rand depends_on:PSA_WANT_ALG_STREAM_CIPHER:PSA_WANT_KEY_TYPE_CHACHA20 cipher_decrypt_multipart:PSA_ALG_STREAM_CIPHER:PSA_KEY_TYPE_CHACHA20:"4bddc98c551a95395ef719557f813656b566bc45aac04eca3866324cc75489f2":"a170d9349d24955aa4501891":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":64:64:0:"9ba7d8de0c6b579fc436e368619e09228070d23246c836d6c6b4c476af6f5eb2b78fbe809d03f7881e6af28cfe3746e8dcf1eb7f762fe7d003141f1539a6cec4":PSA_SUCCESS From c50dec07b29048fad532ff4b57e414ddb35e6593 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 10 Mar 2022 18:56:26 +0100 Subject: [PATCH 3/3] ChaCha20 (classic): Document that we only support 12-byte nonces Signed-off-by: Gilles Peskine --- include/mbedtls/cipher.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index c04097dad..9ce119576 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -844,6 +844,12 @@ int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, * \note Some ciphers do not use IVs nor nonce. For these * ciphers, this function has no effect. * + * \note For #MBEDTLS_CIPHER_CHACHA20, the nonce length must + * be 12, and the initial counter value is 0. + * + * \note For #MBEDTLS_CIPHER_CHACHA20_POLY1305, the nonce length + * must be 12. + * * \param ctx The generic cipher context. This must be initialized and * bound to a cipher information structure. * \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This