This pull request implements the ChaCha20 cipher, the Poly1305 authenticator,
ChaCha20 and AEAD_ChaCha20_Poly1305 have been added to the Cipher module also.
I've implemented these algorithms by following RFC 7539. I referred to one of the RFC's informative references here to help fix some multiplication correctness issues that I had with Poly1305 whilst implementing the algorithm.
The test suite has been updated to include the test vectors from RFC 7539 for each of the algorithms.
Below are the benchmark results for ChaCha20 and Poly1305 individually, tested
This change currently only adds the ciphers to mbedTLS. I haven't added any of the ChaCha20 cipher suites described in draft-ietf-tls-chacha20-poly1305-04, as I'd like some feedback first.
This change permits users of the ChaCha20/Poly1305 algorithms (and the AEAD construction thereof) to pass NULL pointers for data that they do not need, and avoids the need to provide a valid buffer for data that is not used.
I refactored some code into the function mbedtls_constant_time_memcmp in commit 7aad291 but this function is only used by GCM and AEAD_ChaCha20_Poly1305 to check the tags. So this function is now only enabled if either of these two ciphers is enabled.
This change assigns error codes for ChaCha20, Poly1305, and AEAD_ChaCha20_Poly1305 according to the policy defined in error.h
@damaki Thanks again for your contribution and sorry for keeping you waiting for so long. I'm happy to announce that integrating these new primitives finally made it into our short term roadmap and we are aiming to include your contribution in our next release.
Even though your PR is very high quality already, there are inevitably a few things to rework. Since we feel it wouldn't be fair to ask you to do this rework in a short delay after keeping you waiting for almost two years, we're going to do it ourselves in this new PR: #1617
Please note that this is not how we intend to handle contributions in general, it is only a work-around while we try to handle our backlog of overdue PRs. In the future we certainly intend to react more quickly to incoming contributions and work with submitters on finalizing them.