chachapoly: force correct mode for integrated API
Allowing DECRYPT with crypt_and_tag is a risk as people might fail to check the tag correctly (or at all). So force them to use auth_decrypt() instead. See also https://github.com/ARMmbed/mbedtls/pull/1668
This commit is contained in:
Manuel Pégourié-Gonnard
parent
26c3b0a4b1
commit
3dc62a0a9b
@ -269,7 +269,7 @@ int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* \brief This function performs a complete ChaCha20-Poly1305
|
* \brief This function performs a complete ChaCha20-Poly1305
|
||||||
* operation with the previously-set key.
|
* authenticated encryption with the previously-set key.
|
||||||
*
|
*
|
||||||
* \note Before using this function, you must set the key with
|
* \note Before using this function, you must set the key with
|
||||||
* \c mbedtls_chachapoly_setkey().
|
* \c mbedtls_chachapoly_setkey().
|
||||||
@ -280,8 +280,6 @@ int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
|
|||||||
* and key.
|
* and key.
|
||||||
*
|
*
|
||||||
* \param ctx The ChaCha20-Poly1305 context to use (holds the key).
|
* \param ctx The ChaCha20-Poly1305 context to use (holds the key).
|
||||||
* \param mode The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
|
|
||||||
* #MBEDTLS_CHACHAPOLY_DECRYPT.
|
|
||||||
* \param length The length (in bytes) of the data to encrypt or decrypt.
|
* \param length The length (in bytes) of the data to encrypt or decrypt.
|
||||||
* \param nonce The 96-bit (12 bytes) nonce/IV to use.
|
* \param nonce The 96-bit (12 bytes) nonce/IV to use.
|
||||||
* \param aad The buffer containing the additional authenticated data (AAD).
|
* \param aad The buffer containing the additional authenticated data (AAD).
|
||||||
@ -297,8 +295,7 @@ int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
|
|||||||
* \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
|
* \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
|
||||||
* if one or more of the required parameters are NULL.
|
* if one or more of the required parameters are NULL.
|
||||||
*/
|
*/
|
||||||
int mbedtls_chachapoly_crypt_and_tag( mbedtls_chachapoly_context *ctx,
|
int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
|
||||||
mbedtls_chachapoly_mode_t mode,
|
|
||||||
size_t length,
|
size_t length,
|
||||||
const unsigned char nonce[12],
|
const unsigned char nonce[12],
|
||||||
const unsigned char *aad,
|
const unsigned char *aad,
|
||||||
|
|||||||
@ -311,7 +311,7 @@ int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
|
|||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
int mbedtls_chachapoly_crypt_and_tag( mbedtls_chachapoly_context *ctx,
|
static int chachapoly_crypt_and_tag( mbedtls_chachapoly_context *ctx,
|
||||||
mbedtls_chachapoly_mode_t mode,
|
mbedtls_chachapoly_mode_t mode,
|
||||||
size_t length,
|
size_t length,
|
||||||
const unsigned char nonce[12],
|
const unsigned char nonce[12],
|
||||||
@ -341,6 +341,20 @@ cleanup:
|
|||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
|
||||||
|
size_t length,
|
||||||
|
const unsigned char nonce[12],
|
||||||
|
const unsigned char *aad,
|
||||||
|
size_t aad_len,
|
||||||
|
const unsigned char *input,
|
||||||
|
unsigned char *output,
|
||||||
|
unsigned char tag[16] )
|
||||||
|
{
|
||||||
|
return( chachapoly_crypt_and_tag( ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
|
||||||
|
length, nonce, aad, aad_len,
|
||||||
|
input, output, tag ) );
|
||||||
|
}
|
||||||
|
|
||||||
int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
|
int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
|
||||||
size_t length,
|
size_t length,
|
||||||
const unsigned char nonce[12],
|
const unsigned char nonce[12],
|
||||||
@ -358,7 +372,7 @@ int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
|
|||||||
if( tag == NULL )
|
if( tag == NULL )
|
||||||
return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||||
|
|
||||||
if( ( ret = mbedtls_chachapoly_crypt_and_tag( ctx,
|
if( ( ret = chachapoly_crypt_and_tag( ctx,
|
||||||
MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
|
MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
|
||||||
aad, aad_len, input, output, check_tag ) ) != 0 )
|
aad, aad_len, input, output, check_tag ) ) != 0 )
|
||||||
{
|
{
|
||||||
@ -499,8 +513,7 @@ int mbedtls_chachapoly_self_test( int verbose )
|
|||||||
ret = mbedtls_chachapoly_setkey( &ctx, test_key[i] );
|
ret = mbedtls_chachapoly_setkey( &ctx, test_key[i] );
|
||||||
ASSERT( 0 == ret, ( "setkey() error code: %i\n", ret ) );
|
ASSERT( 0 == ret, ( "setkey() error code: %i\n", ret ) );
|
||||||
|
|
||||||
ret = mbedtls_chachapoly_crypt_and_tag( &ctx,
|
ret = mbedtls_chachapoly_encrypt_and_tag( &ctx,
|
||||||
MBEDTLS_CHACHAPOLY_ENCRYPT,
|
|
||||||
test_input_len[i],
|
test_input_len[i],
|
||||||
test_nonce[i],
|
test_nonce[i],
|
||||||
test_aad[i],
|
test_aad[i],
|
||||||
|
|||||||
@ -992,8 +992,7 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
|
|||||||
}
|
}
|
||||||
|
|
||||||
*olen = ilen;
|
*olen = ilen;
|
||||||
return( mbedtls_chachapoly_crypt_and_tag( ctx->cipher_ctx,
|
return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
|
||||||
MBEDTLS_CHACHAPOLY_ENCRYPT,
|
|
||||||
ilen, iv, ad, ad_len, input, output, tag ) );
|
ilen, iv, ad, ad_len, input, output, tag ) );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_CHACHAPOLY_C */
|
#endif /* MBEDTLS_CHACHAPOLY_C */
|
||||||
|
|||||||
@ -491,9 +491,8 @@ int main( int argc, char *argv[] )
|
|||||||
mbedtls_chachapoly_setkey( &chachapoly, tmp );
|
mbedtls_chachapoly_setkey( &chachapoly, tmp );
|
||||||
|
|
||||||
TIME_AND_TSC( title,
|
TIME_AND_TSC( title,
|
||||||
mbedtls_chachapoly_crypt_and_tag( &chachapoly,
|
mbedtls_chachapoly_encrypt_and_tag( &chachapoly,
|
||||||
MBEDTLS_CHACHAPOLY_ENCRYPT, BUFSIZE, tmp,
|
BUFSIZE, tmp, NULL, 0, buf, buf, tmp ) );
|
||||||
NULL, 0, buf, buf, tmp ) );
|
|
||||||
|
|
||||||
mbedtls_chachapoly_free( &chachapoly );
|
mbedtls_chachapoly_free( &chachapoly );
|
||||||
}
|
}
|
||||||
|
|||||||
@ -48,8 +48,7 @@ void mbedtls_chachapoly_enc( char *hex_key_string, char *hex_nonce_string, char
|
|||||||
|
|
||||||
TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, key_str ) == 0 );
|
TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, key_str ) == 0 );
|
||||||
|
|
||||||
TEST_ASSERT( mbedtls_chachapoly_crypt_and_tag( &ctx,
|
TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
|
||||||
MBEDTLS_CHACHAPOLY_ENCRYPT,
|
|
||||||
input_len, nonce_str,
|
input_len, nonce_str,
|
||||||
aad_str, aad_len,
|
aad_str, aad_len,
|
||||||
input_str, output, mac ) == 0 );
|
input_str, output, mac ) == 0 );
|
||||||
@ -149,38 +148,32 @@ void chachapoly_bad_params()
|
|||||||
TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, NULL )
|
TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, NULL )
|
||||||
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||||
|
|
||||||
TEST_ASSERT( mbedtls_chachapoly_crypt_and_tag( NULL,
|
TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( NULL,
|
||||||
MBEDTLS_CHACHAPOLY_ENCRYPT,
|
|
||||||
0, nonce,
|
0, nonce,
|
||||||
aad, 0,
|
aad, 0,
|
||||||
input, output, mac )
|
input, output, mac )
|
||||||
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||||
TEST_ASSERT( mbedtls_chachapoly_crypt_and_tag( &ctx,
|
TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
|
||||||
MBEDTLS_CHACHAPOLY_ENCRYPT,
|
|
||||||
0, NULL,
|
0, NULL,
|
||||||
aad, 0,
|
aad, 0,
|
||||||
input, output, mac )
|
input, output, mac )
|
||||||
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||||
TEST_ASSERT( mbedtls_chachapoly_crypt_and_tag( &ctx,
|
TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
|
||||||
MBEDTLS_CHACHAPOLY_ENCRYPT,
|
|
||||||
0, nonce,
|
0, nonce,
|
||||||
NULL, aad_len,
|
NULL, aad_len,
|
||||||
input, output, mac )
|
input, output, mac )
|
||||||
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||||
TEST_ASSERT( mbedtls_chachapoly_crypt_and_tag( &ctx,
|
TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
|
||||||
MBEDTLS_CHACHAPOLY_ENCRYPT,
|
|
||||||
input_len, nonce,
|
input_len, nonce,
|
||||||
aad, 0,
|
aad, 0,
|
||||||
NULL, output, mac )
|
NULL, output, mac )
|
||||||
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||||
TEST_ASSERT( mbedtls_chachapoly_crypt_and_tag( &ctx,
|
TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
|
||||||
MBEDTLS_CHACHAPOLY_ENCRYPT,
|
|
||||||
input_len, nonce,
|
input_len, nonce,
|
||||||
aad, 0,
|
aad, 0,
|
||||||
input, NULL, mac )
|
input, NULL, mac )
|
||||||
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||||
TEST_ASSERT( mbedtls_chachapoly_crypt_and_tag( &ctx,
|
TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
|
||||||
MBEDTLS_CHACHAPOLY_ENCRYPT,
|
|
||||||
0, nonce,
|
0, nonce,
|
||||||
aad, 0,
|
aad, 0,
|
||||||
input, output, NULL )
|
input, output, NULL )
|
||||||
@ -217,8 +210,7 @@ void chachapoly_bad_params()
|
|||||||
mac, input, NULL )
|
mac, input, NULL )
|
||||||
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
== MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||||
|
|
||||||
TEST_ASSERT( mbedtls_chachapoly_crypt_and_tag( &ctx,
|
TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
|
||||||
MBEDTLS_CHACHAPOLY_ENCRYPT,
|
|
||||||
0, nonce,
|
0, nonce,
|
||||||
aad, aad_len,
|
aad, aad_len,
|
||||||
NULL, NULL, mac )
|
NULL, NULL, mac )
|
||||||
@ -229,8 +221,7 @@ void chachapoly_bad_params()
|
|||||||
mac, NULL, NULL )
|
mac, NULL, NULL )
|
||||||
== 0 );
|
== 0 );
|
||||||
|
|
||||||
TEST_ASSERT( mbedtls_chachapoly_crypt_and_tag( &ctx,
|
TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
|
||||||
MBEDTLS_CHACHAPOLY_ENCRYPT,
|
|
||||||
input_len, nonce,
|
input_len, nonce,
|
||||||
NULL, 0,
|
NULL, 0,
|
||||||
input, output, mac )
|
input, output, mac )
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user