commit 3dc62a0a9b6776ca1f58724c5be01c77012edf94
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Jun 04 12:18:19 2018 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Jun 04 12:18:19 2018 +0200
tree b3a4a9b824aecc4f1abeb68cab305b61eb379a39
parent 26c3b0a4b18fc7c24a00499d3f5a909509ce2bbe

chachapoly: force correct mode for integrated API

Allowing DECRYPT with crypt_and_tag is a risk as people might fail to check
the tag correctly (or at all). So force them to use auth_decrypt() instead.

See also https://github.com/ARMmbed/mbedtls/pull/1668

library/chachapoly.c

diff --git a/library/chachapoly.c b/library/chachapoly.c
index 8f78588..80c1ebf 100644
--- a/library/chachapoly.c
+++ b/library/chachapoly.c
@@ -311,15 +311,15 @@
     return( ret );
 }
 
-int mbedtls_chachapoly_crypt_and_tag( mbedtls_chachapoly_context *ctx,
-                                      mbedtls_chachapoly_mode_t mode,
-                                      size_t length,
-                                      const unsigned char nonce[12],
-                                      const unsigned char *aad,
-                                      size_t aad_len,
-                                      const unsigned char *input,
-                                      unsigned char *output,
-                                      unsigned char tag[16] )
+static int chachapoly_crypt_and_tag( mbedtls_chachapoly_context *ctx,
+                                     mbedtls_chachapoly_mode_t mode,
+                                     size_t length,
+                                     const unsigned char nonce[12],
+                                     const unsigned char *aad,
+                                     size_t aad_len,
+                                     const unsigned char *input,
+                                     unsigned char *output,
+                                     unsigned char tag[16] )
 {
     int ret;
 
@@ -341,6 +341,20 @@
     return( ret );
 }
 
+int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
+                                        size_t length,
+                                        const unsigned char nonce[12],
+                                        const unsigned char *aad,
+                                        size_t aad_len,
+                                        const unsigned char *input,
+                                        unsigned char *output,
+                                        unsigned char tag[16] )
+{
+    return( chachapoly_crypt_and_tag( ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
+                                      length, nonce, aad, aad_len,
+                                      input, output, tag ) );
+}
+
 int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
                                      size_t length,
                                      const unsigned char nonce[12],
@@ -358,7 +372,7 @@
     if( tag == NULL )
         return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
 
-    if( ( ret = mbedtls_chachapoly_crypt_and_tag( ctx,
+    if( ( ret = chachapoly_crypt_and_tag( ctx,
                         MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
                         aad, aad_len, input, output, check_tag ) ) != 0 )
     {
@@ -499,15 +513,14 @@
         ret = mbedtls_chachapoly_setkey( &ctx, test_key[i] );
         ASSERT( 0 == ret, ( "setkey() error code: %i\n", ret ) );
 
-        ret = mbedtls_chachapoly_crypt_and_tag( &ctx,
-                                                MBEDTLS_CHACHAPOLY_ENCRYPT,
-                                                test_input_len[i],
-                                                test_nonce[i],
-                                                test_aad[i],
-                                                test_aad_len[i],
-                                                test_input[i],
-                                                output,
-                                                mac );
+        ret = mbedtls_chachapoly_encrypt_and_tag( &ctx,
+                                                  test_input_len[i],
+                                                  test_nonce[i],
+                                                  test_aad[i],
+                                                  test_aad_len[i],
+                                                  test_input[i],
+                                                  output,
+                                                  mac );
 
         ASSERT( 0 == ret, ( "crypt_and_tag() error code: %i\n", ret ) );