Implement Chacha20 and Poly1305 #485
Conversation
|
Gosh that was quick! You didn't really do this in a day did you? Thanks very much for the contribution! It's going to take us a little time to review, and properly integrate, which we'll do at the next opportunity. |
|
Haha no, I started working on it for mbedTLS a few days ago, since I'd like to use these along with mbedTLS on one of my own projects. I'm also familiar with ChaCha20 having previously implemented it in Ada about a year ago, so that helps. |
Test vectors are included from RFC 7539. Poly1305 is also added to the benchmark program.
This implementation is based off the description in RFC 7539. The ChaCha20 code is also updated to provide a means of generating keystream blocks with arbitrary counter values. This is used to generated the one-time Poly1305 key in the AEAD construction.
This change permits users of the ChaCha20/Poly1305 algorithms (and the AEAD construction thereof) to pass NULL pointers for data that they do not need, and avoids the need to provide a valid buffer for data that is not used.
I refactored some code into the function mbedtls_constant_time_memcmp in commit 7aad291 but this function is only used by GCM and AEAD_ChaCha20_Poly1305 to check the tags. So this function is now only enabled if either of these two ciphers is enabled.
This change assigns error codes for ChaCha20, Poly1305, and AEAD_ChaCha20_Poly1305 according to the policy defined in error.h
This change corrects some minor style violations, mostly for spacing around parentheses.
|
Hello again, I've just rebased my branch with the latest mbedTLS development branch to resolve the merge conflicts and to keep it more up-to-date. |
|
@damaki Thanks again for your contribution and sorry for keeping you waiting for so long. I'm happy to announce that integrating these new primitives finally made it into our short term roadmap and we are aiming to include your contribution in our next release. Even though your PR is very high quality already, there are inevitably a few things to rework. Since we feel it wouldn't be fair to ask you to do this rework in a short delay after keeping you waiting for almost two years, we're going to do it ourselves in this new PR: #1617 Please note that this is not how we intend to handle contributions in general, it is only a work-around while we try to handle our backlog of overdue PRs. In the future we certainly intend to react more quickly to incoming contributions and work with submitters on finalizing them. |
|
Continued in: #1617 |
Hello again!
This pull request implements the ChaCha20 cipher, the Poly1305 authenticator,
and the ChaCha20+Poly1305 AEAD described in RFC 7539. This addresses Issue #346
ChaCha20 and AEAD_ChaCha20_Poly1305 have been added to the Cipher module also.
I've implemented these algorithms by following RFC 7539. I referred to one of the RFC's informative references here to help fix some multiplication correctness issues that I had with Poly1305 whilst implementing the algorithm.
The test suite has been updated to include the test vectors from RFC 7539 for each of the algorithms.
Below are the benchmark results for ChaCha20 and Poly1305 individually, tested
on my system: Ubuntu 14.04 64-bit, Intel Core i7-2630QM, built using GCC 4.9.3.
This change currently only adds the ciphers to mbedTLS. I haven't added any of the ChaCha20 cipher suites described in draft-ietf-tls-chacha20-poly1305-04, as I'd like some feedback first.