CC3XX: Define a Chacha20-Poly1305 state context

adeaarm · adeaarm · commit b5dcc9159f8d · 2022-04-01T09:39:35.000+01:00
The Chacha20-Poly1305 algorithm implementation for multipart
needs to have an associated context to keep track of the Poly1305
state across multipart API calls to both update() and update_ad().
Thus far single part and Chacha20 multipart were using the existing
ChachaContext_t but that needs to be extended for Chacha20-Poly1305.

Signed-off-by: Antonio de Angelis &lt;antonio.deangelis@arm.com&gt;
Change-Id: I37d71da465a81754a57d4637f87cc849dd81c33f
diff --git a/lib/ext/cryptocell-312-runtime/codesafe/src/psa_driver_api/include/cc3xx_crypto_primitives_private.h b/lib/ext/cryptocell-312-runtime/codesafe/src/psa_driver_api/include/cc3xx_crypto_primitives_private.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -28,6 +28,13 @@
 #include "aesccm_driver.h"
 #include "chacha_driver.h"
 
+/* Include the internal layer defines for Chacha20-Poly1305 because it is there
+ * that the Chacha20-Poly1305 context is defined. This is due to the fact that
+ * the low-level driver contexts don't support Chacha20-Poly1305 as a combined
+ * operation with a requirement for state support (i.e. to support multipart)
+ */
+#include "cc3xx_internal_chacha20_poly1305.h"
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -96,9 +103,9 @@ struct cc3xx_aead_operation_s {
     size_t tag_length;            /*!< Size of the authentication tag */
 
     union {
-        AesGcmContext_t gcm;      /*!< Low-level GCM context */
-        AesCcmContext_t ccm;      /*!< Low-level CCM context */
-        ChachaContext_t chacha;   /*!< Low-level Chacha context */
+        AesGcmContext_t gcm;            /*!< Low-level GCM context */
+        AesCcmContext_t ccm;            /*!< Low-level CCM context */
+        ChachaPolyContext_t chachapoly; /*!< Low-level Chacha20-Poly1305 ctx */
     } ctx;
 };
 
diff --git a/lib/ext/cryptocell-312-runtime/codesafe/src/psa_driver_api/include/cc3xx_internal_chacha20_poly1305.h b/lib/ext/cryptocell-312-runtime/codesafe/src/psa_driver_api/include/cc3xx_internal_chacha20_poly1305.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -16,11 +16,31 @@
 #define CC3XX_INTERNAL_CHACHA20_POLY1305_H
 
 #include "psa/crypto.h"
+#include "chacha_driver.h"
+#include "poly.h"
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+/**
+ * \brief A context type to implement multipart APIs on the Chacha20-Poly1305
+ *        algorithm. The low level driver does not implement it so we let the
+ *        driver interface implement it by separately including Chacha20 context
+ *        and Poly1305 state defined in the low level driver and combining them.
+ *        As this is an internal detail of the driver implementation, follow
+ *        the same guidelines of the other contexts in terms of naming.
+ */
+typedef struct ChachaPolyContext_t {
+    ChachaContext_t chacha;        /*!< Context of the underlying Chacha20 */
+    PolyState_t poly;              /*!< Context of the underlying Poly1305 */
+    size_t ad_len;             /*!< Length of the data to be authenticated */
+    size_t plaintext_len;          /*!< Length of the data to be encrypted */
+    size_t curr_ad_len;         /*!< Size of the data authenticated so far */
+    size_t curr_plaintext_len;      /*!< Size of the data encrypted so far */
+    bool bAuthenticateInput; /*!< True when input is used for AEAD authent */
+} ChachaPolyContext_t;
+
 /**
  * \brief Encrypt and create auth tag with Chacha20-Poly1305
  */
diff --git a/lib/ext/cryptocell-312-runtime/codesafe/src/psa_driver_api/src/cc3xx_internal_chacha20_poly1305.c b/lib/ext/cryptocell-312-runtime/codesafe/src/psa_driver_api/src/cc3xx_internal_chacha20_poly1305.c
@@ -24,6 +24,14 @@
 #include "cc3xx_internal_chacha20.h"
 #include "cc3xx_internal_chacha20_poly1305.h"
 
+/* This function implements the block which generates the one time key
+ * to be used for Poly1305 as part of RFC7539 to be generated through
+ * Chacha20, i.e.
+ *     poly1305_key_gen(key, nonce):
+ *         counter = 0;
+ *         block = chacha_block(key, counter, nonce)
+ *         return block[0..31]
+ */
 static psa_status_t chacha20_poly1305_gen_otk(ChachaContext_t *context,
                                               uint8_t *otk,
                                               size_t otk_size)
@@ -43,9 +51,10 @@ static psa_status_t chacha20_poly1305_gen_otk(ChachaContext_t *context,
         return status;
     }
 
-    /* Calling chacha20_update after setting the counter to 0 and using an all-
-     * zero input is equivalent in getting as output of the Chacha20 encryption
-     * stage the output of the chacha20_block stage only, i.e. otk as per RFC
+    /* Calling chacha20_update using an all-zero input is equivalent in getting
+     * the output of the chacha_block() function only, i.e. the keystream. The
+     * size will be a 64 byte block but we need to take only the first 32 as
+     * output and they will represent the OTK (256 bit key (r,s))
      */
     status = cc3xx_chacha20_update(context,
                                    chachaInState, sizeof(chachaInState),
