Merge pull request #5617 from gilles-peskine-arm/chacha20-rfc7539-test-vector

PSA: ChaCha20: add RFC 7539 test vector with counter=1
2025-07-29 11:41:15 +03:00 · 2022-05-12 12:34:20 +02:00
parent 9bc53a2e84 c50dec07b2
commit 4014a0408e
3 changed files with 30 additions and 2 deletions
--- a/include/mbedtls/cipher.h
+++ b/include/mbedtls/cipher.h
@ -844,6 +844,12 @@ int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
 * \note            Some ciphers do not use IVs nor nonce. For these
 *                  ciphers, this function has no effect.
 *
+ * \note            For #MBEDTLS_CIPHER_CHACHA20, the nonce length must
+ *                  be 12, and the initial counter value is 0.
+ *
+ * \note            For #MBEDTLS_CIPHER_CHACHA20_POLY1305, the nonce length
+ *                  must be 12.
+ *
 * \param ctx       The generic cipher context. This must be initialized and
 *                  bound to a cipher information structure.
 * \param iv        The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@ -489,8 +489,12 @@
 *
 * ChaCha20 and the ChaCha20_Poly1305 construction are defined in RFC 7539.
 *
- * Implementations must support 12-byte nonces, may support 8-byte nonces,
- * and should reject other sizes.
+ * \note For ChaCha20 and ChaCha20_Poly1305, Mbed TLS only supports
+ *       12-byte nonces.
+ *
+ * \note For ChaCha20, the initial counter value is 0. To encrypt or decrypt
+ *       with the initial counter value 1, you can process and discard a
+ *       64-byte block before the real data.
 */
 #define PSA_KEY_TYPE_CHACHA20                       ((psa_key_type_t)0x2004)