sys/psa_crypto: chacha20 multipart operation implementation [Rebase] #21927
Conversation
reallxo
requested review from
MichelRottleuthner,
aabadie and
leandrolanzieri
as code owners
github-actions
bot
added
Area: tests
AnnsAnns
added
the
CI: ready for build
|
It sounds like nothing was changed aside from rebasing it and from the looks of it you were ready for the final review in the original PR @mguetschow, is that still correct? |
AnnsAnns
left a comment
AnnsAnns
left a comment
There was a problem hiding this comment.
Thank you for your work on getting this merged again 😄
I did not look at the implementation itself, however, here are some nitpicks that have changed since the original PR was made. Also, please take a look at the static test output for a lot of complaints it has such as whitespaces, empty lines and long lines.
There are also a lot of todos left in multiple files, are these all still valid / are you addressing them in this PR?
AnnsAnns
changed the title
publicvoid1337
force-pushed
the
rebase-psa-cipher-chacha20-multipart-operation-implementation
branch
from
789c8b8 to
c04816e
Compare
crasbe
added
the
Type: new feature
reallxo
force-pushed
the
rebase-psa-cipher-chacha20-multipart-operation-implementation
branch
from
98e208d to
db565fd
Compare
publicvoid1337
force-pushed
the
rebase-psa-cipher-chacha20-multipart-operation-implementation
branch
from
2e63b87 to
2d6f9c6
Compare
crasbe
left a comment
crasbe
left a comment
There was a problem hiding this comment.
Although this PR is still in Draft stage, here are some style related comments.
Please not that I did not mark all the occurances of the documentation-blocks that have to be changed, please go through the code yourself to do the required changes.
| #endif | ||
|
|
||
| #ifdef CPU_NRF52 | ||
| #define CHECK_POINTER_DMA_ACCESS(p) ((unsigned int)p >= 0x20000000 ? (unsigned int)p < 0x40000000 : 0) |
There was a problem hiding this comment.
| #define CHECK_POINTER_DMA_ACCESS(p) ((unsigned int)p >= 0x20000000 ? (unsigned int)p < 0x40000000 : 0) | |
| # define CHECK_POINTER_DMA_ACCESS(p) ((unsigned int)p >= 0x20000000 ? (unsigned int)p < 0x40000000 : 0) |
New code that uses preprocessor conditionals, the preprocessor commands inside if-else statements should be indented: https://github.com/RIOT-OS/RIOT/blob/master/CODING_CONVENTIONS.md#indentation-of-preprocessor-directives
| #ifndef PSA_CRYPTOCELL_310_CHACHA_H | ||
| #define PSA_CRYPTOCELL_310_CHACHA_H | ||
|
|
There was a problem hiding this comment.
The code is missing the #pragma once. Just removing the header guards may (will) cause havoc.
| /* 8 bytes: the cipher operation uses the original [CHACHA20] definition | ||
| of ChaCha20: the provided IV is used as the 64-bit nonce, and the 64-bit | ||
| counter value is set to zero. */ |
There was a problem hiding this comment.
| /* 8 bytes: the cipher operation uses the original [CHACHA20] definition | |
| of ChaCha20: the provided IV is used as the 64-bit nonce, and the 64-bit | |
| counter value is set to zero. */ | |
| /* 8 bytes: the cipher operation uses the original [CHACHA20] definition | |
| * of ChaCha20: the provided IV is used as the 64-bit nonce, and the 64-bit | |
| * counter value is set to zero. */ |
There is a specific style for multi-line comments: https://github.com/RIOT-OS/RIOT/blob/master/CODING_CONVENTIONS.md#comments
| /* 12 bytes: the provided IV is used as the nonce, and the counter value | ||
| is set to zero. */ |
There was a problem hiding this comment.
| /* 12 bytes: the provided IV is used as the nonce, and the counter value | |
| is set to zero. */ | |
| /* 12 bytes: the provided IV is used as the nonce, and the counter value | |
| * is set to zero. */ |
| /* 16 bytes: the first four bytes of the IV are used as the counter value | ||
| (encoded as little-endian), and the remaining 12 bytes are used as the nonce. */ |
There was a problem hiding this comment.
| /* 16 bytes: the first four bytes of the IV are used as the counter value | |
| (encoded as little-endian), and the remaining 12 bytes are used as the nonce. */ | |
| /* 16 bytes: the first four bytes of the IV are used as the counter value | |
| * (encoded as little-endian), and the remaining 12 bytes are used as the nonce. */ |
| #endif | ||
|
|
||
| #if IS_USED(MODULE_PERIPH_CIPHER_CHACHA20) | ||
| #include "psa_periph_chacha20_ctx.h" |
There was a problem hiding this comment.
| #include "psa_periph_chacha20_ctx.h" | |
| # include "psa_periph_chacha20_ctx.h" |
| #include "crys_chacha.h" | ||
| #include "kernel_defines.h" | ||
|
|
||
| #if IS_USED(MODULE_PERIPH_CIPHER_CHACHA20) || DOXYGEN |
There was a problem hiding this comment.
Is this actually required? The header is conditionally included anyway as far as I can tell.
| /* 8 bytes: the cipher operation uses the original [CHACHA20] definition | ||
| of ChaCha20: the provided IV is used as the 64-bit nonce, and the 64-bit | ||
| counter value is set to zero. | ||
| This is currently not supported, as the current implementation only handles | ||
| 12-byte nonces. To change this, you would need to modify chacha20_ctx_t | ||
| and functions that are using this type. */ |
There was a problem hiding this comment.
This does not really count as "short multiline comment" anymore, so please adapt it to the appropriate style: https://github.com/RIOT-OS/RIOT/blob/master/CODING_CONVENTIONS.md#comments
| const uint8_t *data_in = &input[CHACHA20POLY1305_NONCE_BYTES]; | ||
|
|
||
| chacha20_encrypt_decrypt(data_in, output, key_buffer, nonce, input_length - CHACHA20POLY1305_NONCE_BYTES); | ||
| chacha20_encrypt_decrypt(key_buffer, nonce, 0, data_in, input_length - CHACHA20POLY1305_NONCE_BYTES, output); |
There was a problem hiding this comment.
Please add a line break here.
| typedef cipher_t psa_cipher_aes_256_ctx_t; | ||
| #endif | ||
| #if IS_USED(MODULE_PSA_RIOT_CIPHER_CHACHA20) | ||
| #include "crypto/chacha20poly1305.h" |
There was a problem hiding this comment.
| #include "crypto/chacha20poly1305.h" | |
| # include "crypto/chacha20poly1305.h" |
mguetschow
left a comment
mguetschow
left a comment
There was a problem hiding this comment.
Some preliminary comments. I know this is not your code originally, but I do have some questions that we should try to answer together (and maybe solve differently than in the current state).
| { | ||
| DEBUG("Peripheral ChaCha20 Cipher setup"); | ||
|
|
||
| if (key_length != CRYS_CHACHA_KEY_MAX_SIZE_IN_BYTES) { |
There was a problem hiding this comment.
Is the key length really fixed, or should that rather be a <= as the macro name implies?
| periph_status = CRYS_CHACHA_Init( &ctx->ctx.post_setup, | ||
| (uint8_t*)&iv[4], | ||
| CRYS_CHACHA_Nonce96BitSize, | ||
| ctx->buffer, | ||
| unaligned_get_u32(iv), | ||
| ctx->ctx.mode); |
There was a problem hiding this comment.
This looks quite dangerous as ctx->ctx is a union and both are accessed here.
In particular, what would happen if someone called _set_iv twice?
I think the context needs an extra field to store the current state (none, setup-done, iv-set, encoding/decoding, done?)
There was a problem hiding this comment.
Ah btw, this call misses the cryptocell_310_enable() call if Github is not betraying me.
Is this actually tested somewhere?
| if (ctx->buffer_length > 0) { | ||
| /* if yes, fill buffer up and update this block of data */ | ||
| input_index = sizeof(ctx->buffer) - ctx->buffer_length; | ||
| memcpy(&ctx->buffer[ctx->buffer_length], input, input_index); | ||
| periph_status = CRYS_CHACHA_Block( &ctx->ctx.post_setup, | ||
| ctx->buffer, | ||
| 64, | ||
| output); |
There was a problem hiding this comment.
I think you reworked this in your poly1305 branch, correct? Please update this branch accordingly.
| /* if yes, fill buffer up and update this block of data */ | ||
| input_index = sizeof(ctx->buffer) - ctx->buffer_length; | ||
| memcpy(&ctx->buffer[ctx->buffer_length], input, input_index); | ||
| periph_status = CRYS_CHACHA_Block( &ctx->ctx.post_setup, |
There was a problem hiding this comment.
You should definitely check somewhere before that ctx has been setup and set-iv before.
| void chacha20_encrypt_decrypt(const uint8_t *input, uint8_t *output, | ||
| const uint8_t *key, const uint8_t *nonce, | ||
| size_t inputlen); | ||
| void chacha20_encrypt_decrypt( const uint8_t *key, | ||
| const uint8_t *nonce, | ||
| uint32_t counter, | ||
| const uint8_t *input, | ||
| size_t input_length, | ||
| uint8_t *output); |
There was a problem hiding this comment.
Huh, so here we actually do change the public API of RIOT crypto code. We should definitely avoid this whenever possible (and here it seems it is only about reordering and renaming parameters).
| static void _xcrypt(chacha20poly1305_ctx_t *ctx, const uint8_t *key, | ||
| const uint8_t *nonce, const uint8_t *in, uint8_t *out, | ||
| size_t len, size_t counter) | ||
| { | ||
| /* Number of full 64 byte blocks */ | ||
| const size_t num_blocks = len >> 6; | ||
| size_t pos = 0; |
There was a problem hiding this comment.
Huh, why can this be removed?
7 participants
Contribution description
This pull request updates the former pull request “PSA cipher ChaCha20 multipart operation implementation” (#20788) by @Wunderbaeumchen99817 to the current state of the master branch.
The original changes have been rebased and split up into multiple commits to ensure clarity and make the review process easier.
The goal of this PR is to bring the previous contribution up to date and into a reviewable and maintainable form and request reviews from supervisors.
Testing procedure
TBD
Issues/PRs references
original pull request
Psa cipher chacha20 multipart operation implementation #20788
#20788